How to Get a List of Users with Password Never Expires

Native Auditing vs. Netwrix Auditor for Active Directory

Native Auditing Netwrix Auditor for Active Directory
  1. Open the Powershell ISE → Create new script with the following code and run it, specifying the path for export:

    # Import the AD module to the session

    Import-Module ActiveDirectory

    #Search for the users and export report

    get-aduser -filter * -properties Name, PasswordNeverExpires | where {
    $_.passwordNeverExpires -eq "true" } |  Select-Object DistinguishedName,Name,Enabled |
    Export-csv c:\data\pw_never_expires.csv -NoTypeInformation

  2. Open the file produced by the script in MS Excel.

List of users with password never expires

  1. Run Netwrix Auditor → Navigate to “Reports” → Open “Active Directory” → Go to “Active Directory - State-in-Time” → Select “User Accounts – Passwords Never Expire” → Click “View”.
  2. To receive the report regularly by email, click the “Subscribe” button and choose the schedule you prefer.

User Accounts - Password Never Expire report from Netwrix Auditor: Path and Name

Do I need to run a PowerShell query each time to monitor users with the Password Never Expires attribute checked?

Using a password expiration policy is a best practice that makes it harder for attackers to crack user credentials. Most organizations enforce a password expiration period (for example, 90 days) on regular user accounts, but in some cases, administrators set password to never expire for select domain user accounts in Microsoft Windows Server 2016, 2012, 2008, 2003. However, letting this practice spiral out of control can seriously jeopardize IT security. To keep tabs on accounts exempt from password expiration, many administrators turn to the trusty Active Directory module for Windows PowerShell, performing an AD query to list users with the Password Never Expires attribute set to “True.” But is running Windows PowerShell commands with the Get-ADUser cmdlet the most efficient way to do this? Isn’t it bothersome to do on a regular basis?

Instead of using PowerShell to find users with the Password Never Expires setting, why don’t you try Netwrix Auditor for Active Directory? In a few clicks, you can quickly have a list of all Active Directory users who have the Password Never Expires flag set on their account right now, or had it set at any moment in the past. You can also have the report generated and emailed to you automatically, facilitating regular review. The solution can even alert you whenever an administrator changes an account’s settings to make the password never expire. As a result, you’ll get stronger security with far less effort.

Join the discussion