Finding Active Directory passwords set to never expire

Passwords set to never expire can be a security vulnerability for your network.

Some regulatory bodies require passwords to expire every 90 days, while others recommend setting passwords to never expire – as long as other protocols are in place. However, if you don’t have those in place or if you didn’t intentionally set passwords to never expire, you may want check your Active Directory for any instances of the setting.

Find AD passwords set to never expire with PowerShell

One way to do this is with PowerShell.

If you’re a PowerShell user and have the Active Directory PowerShell module installed, you can use the below line to find users with the PasswordNeverExpires attribute set to true:

get-aduser -filter { passwordNeverExpires -eq $true  -and enabled -eq $true } | sort | ft

Which will return a screen of results like this:

---

Find AD passwords set to never expire without PowerShell

If you’re not a PowerShell user, or simply aren’t in the mood for it, you can also find which of your Active Directory users have passwords that are set to never expire with Specops Password Auditor.

---

And export to CSV if desired.

Specops Password Auditor is a free read-only program that scans your Active Directory environment for password-related vulnerabilities. In addition to letting you know whose passwords are set to never expire, you can find out how many of your AD passwords are on a list of known breached passwords, how many are blank or identical, and more.

---

What to Do About Passwords That Never Expire

Once you’ve found out which Active Directory users have passwords set to never expire, the next action is to decide what to do with them.

Have you set these intentionally? Great. Then your next step would be to ensure that these passwords are not passwords that are known to be breached. Easy enough to do if you’ve run a scan with Password Auditor. If you’ve got known breached passwords active in your environment, you’ll want to look at blocking those – whether you go DIY or with Specops Password Policy which can block over 4 billion known breached passwords. The Breached Password Protection database offers continuously updated protection that can run on a daily scheduled scan of your Active Directory. 

Have you not set these intentionally? If that’s the case, you’ll want to update the password settings for these users.

How to update the password settings to never expire for an individual user

Navigate to the user in question within your Active Directory Users and Computers Snap-in.

Once you find the user, right click and select properties.

Uncheck the “Password never expires” box and click OK.

---

Or update it for that user using the following PowerShell command, substituting the username “user0001” for the username you want to change:

set-aduser user0001 -PasswordNeverExpires $false

Find more password vulnerabilities with Specops Password Auditor

Passwords set to never expire aren’t the only possible password vulnerability in your environment. With Specops Password Auditor, you can find stale admin accounts, comparisons of your password policies against industry recommendations, breached passwords, and more.

Specops Password Auditor is a free read-only program. Download it here and find out what your vulnerabilities are today.