Hi,
In domain controller environment we all have some password policies set. In some organizations the users password is expired in 60 days in some 90 or in 180 Days.
User’s password must expired in the defined period, changing password often is a good security policy.
But when we create a user account some time by mistakes we select “Password Never Expires”.
if the “Password never expires” checked users password never expired.
which is not good for user’s account security.
My todays task is to find all users , who have “Password Never Expire” checked. To archive this task we are going to use “Active Directory” module and “Get-Aduser” cmdlet with Filters
Get-ADUser -Filter 'PasswordNeverExpires -eq $true' -Server localDC | select name
After Get-ADuser cmdlet we are using –Filter to show all those account whose “Password Never Expires value is equal to True” which means enabled,and in –server parameter i am defining my domain controller, and we are piping the output to “Select-Object” cmdlet and selecting to show “Name” property of the output to show.
and the output is below 
Now I can show that list to my manager so that we can fix them later
Thanks for reading.
Thanks!
Aman Dhally
This comment has been removed by the author.
ReplyDeleteThis wasn't 100% accurate for our AD. A few users who had this box checked did not come up when I did the search and a few showed that didn't have it checked -- does anyone have another way to check this more accurately? I
ReplyDeleteFYI - If your Powershell didn't recognize the "Get-AdUser" cmdlet, check out this page:
http://blogs.msdn.com/b/rkramesh/archive/2012/01/17/how-to-add-active-directory-module-in-powershell-in-windows-7.aspx
Simple Command:
ReplyDeleteSearch-ADAccount -PasswordNeverExpires | FT Name,ObjectClass -A | Out-file C:\PassNerverexp.tx