How to Track Active Directory Users with Passwords Set to Never Expire

Download Lepide Password Expiration Reminder

Have you ever wished that there was an easier way to track Active Directory user accounts with passwords set to never to expire? These accounts can create a potential security risk, as passwords should be regularly changed and updated to prevent accounts from being hacked or passwords being stolen. We recommend that all user accounts, except that of a default Administrator, should never be set to “never to expire”. In this article, we’ll discuss two ways to track accounts with passwords set to never expire; Windows PowerShell and LepideAuditor – an award-winning auditing and monitoring solution.

Native Method through PowerShell

Start Windows PowerShell with administrative privileges. Run the following Windows PowerShell cmdlet to search Active Directory accounts that have passwords set to “never expire”.

search-adaccount –passwordneverexpires

Following screenshot shows the result of the command.

Figure 1: Password never expires result

Above result set may have some disabled user accounts. To get the list of only active user accounts with never to expire passwords, run the following command.

search-adaccount –passwordneverexpires | where {$_. enabled}

Followng screenshot shows such a report.

Figure 2: Active user accounts whose password never expires

With these simple steps, you can search for accounts that have passwords set to “never expire”.

Issues with the Native Method

Native auditing methods have numerous drawbacks. Getting reports from multiple domains using PowerShell can be both complex and time consuming. It is also very difficult to read these reports and process the data into something meaningful that you can use for compliance purposes. Using Event Viewer to see the changes made in Active Directory Configuration can be very noisy, as multiple events are generated for a single change.

Using LepideAuditor to Track Users with “Password Never Expires”

Lepide User Password Expiration Reminder has multiple predefined reports related to user accounts and their passwords. It simplifies the process of locating users with passwords never to expire, users with soon to expire passwords, users who have to change password at next logon and more. You can filter, search and sort the records displayed in these reports. Following is a screenshot of the “Users whose password never expires” report.

Figure 3: “Users whose password never expires” report

Lepide User Password Expiration Reminder is available as a component of LepideAuditor for Active Directory. It sends automated password expiry reminders to users whose passwords are about to expire. These notifications are sent through email at your selected intervals.

Download Lepide Password Expiration Reminder