Finding Active Directory passwords set to never expire

Passwords set to never expire can be a security vulnerability for your network. Here is how to to find Active Directory (AD) passwords set to never expire.

Some regulatory bodies require passwords to expire every 90 days, while others recommend setting passwords to never expire – as long as other protocols are in place. However, if you don’t have those in place or if you didn’t intentionally set passwords to never expire, you may want check your Active Directory for any instances of the setting.

Find AD passwords set to never expire with PowerShell

One way to do this is with PowerShell.

If you’re a PowerShell user and have the Active Directory PowerShell module installed, you can use the below line to find users with the PasswordNeverExpires attribute set to true:

get-aduser -filter { passwordNeverExpires -eq $true  -and enabled -eq $true } | sort | ft

Which will return a screen of results like this:


Find AD passwords set to never expire without PowerShell

If you’re not a PowerShell user, or simply aren’t in the mood for it, you can also find which of your Active Directory users have passwords that are set to never expire with Specops Password Auditor.


And export to CSV if desired.

Specops Password Auditor is a free read-only program that scans your Active Directory environment for password-related vulnerabilities. In addition to letting you know whose passwords are set to never expire, you can find out how many of your AD passwords are on a list of known breached passwords, how many are blank or identical, and more.


What to Do About Passwords That Never Expire

Once you’ve found out which Active Directory users have passwords set to never expire, the next action is to decide what to do with them. Make up your mind if want never expire passwords or why it might be better to have an expiration.

Have you set these intentionally? Great. Then your next step would be to ensure that these passwords are not passwords that are known to be breached. Easy enough to do if you’ve run a scan with Password Auditor. If you’ve got known breached passwords active in your environment, you’ll want to look at blocking those – whether you go DIY or with Specops Password Policy which can block over 4 billion known breached passwords. The Breached Password Protection database offers continuously updated protection that can run on a daily scheduled scan of your Active Directory. 

Have you not set these intentionally? If that’s the case, you’ll want to update the password settings for these users.

How to update the password settings to never expire for an individual user

Navigate to the user in question within your Active Directory Users and Computers Snap-in.

Once you find the user, right click and select properties.

Uncheck the “Password never expires” box and click OK.


Or update it for that user using the following PowerShell command, substituting the username “user0001” for the username you want to change:

set-aduser user0001 -PasswordNeverExpires $false

It is also possible to reset the clock on Active Directory password expiration.

Find more password vulnerabilities with Specops Password Auditor

Passwords set to never expire aren’t the only possible password vulnerability in your environment. With Specops Password Auditor, you can find stale admin accounts, comparisons of your password policies against industry recommendations, breached passwords, and more.

Specops Password Auditor is a free read-only program. Download it here and find out what your vulnerabilities are today.

(Last updated on September 25, 2024)

Back to Blog

Related Articles

  • Resetting the clock on Active Directory password expiration

    I recently worked with a customer who was implementing Specops Password Policy with Length-Based password aging. Usually we see customers use this to extend their maximum password age, for example: the current Active Directory maximum password age is 90 days; Specops length-based aging will be configured with the same ‘tier 1’ maximum password age, but users…

    Read More
  • Password expiration policy best practice

    Instead of arbitrarily expiring passwords every 90 or so days, why not configure the maximum password age based on the complexity level of a password?

    Read More
  • Never expire passwords? Why we shouldn’t ditch password expiry just yet.  

    Resetting passwords via service desk tickets and support calls is an everyday burden on IT teams. Users are equally frustrated when the ‘time to change your password’ notification pops up during a busy work day – especially when they realize they can’t simply add ‘!’ to the end of their old password. But despite IT…

    Read More