🎉 Our Microsoft 365 Reporting & Management Tool is now available in Azure Marketplace 🚀
This website uses cookies to improve your experience. We'll assume you're ok with this. Know more.
Active Directory

How To Get All Users with Password Never Expires in Active Directory

Password-based attacks are still a favourite method for attackers, making the management of non-expiring credentials more important than ever. Although enabling “Password Never Expires” may seem convenient for some users, it can also make those accounts easier targets for brute-force and credential-stuffing attacks. Therefore, this guide explains how to identify all Active Directory users with passwords set to never expire, enabling you to strengthen account security.

Solution 1
Solution 2
Solution 3
Important Tips
Errors and Resolution Steps
FAQs

Track Users with Password Never Expires Using ADUC

Active Directory Permission Required
Accounts Operator Least Privilege
Administrators Most Privilege
  • Open the Active Directory Users and Computers console, then right-click Saved Queries in the left pane and select New Âť Query.
  • Enter the name and an optional description. Ensure the Include subcontainers checkbox is selected to include all users under subcontainers, then click Define Query.
  • In the Find dropdown, choose Custom Search, select the Advanced tab, and enter the following LDAP query.
    (userAccountControl:1.2.840.113556.1.4.803:=65536)
  • Click OK to save the query, then click OK again to close the configuration window.
Track Users with Password Never Expires Using ADUC
  • Note: You can also view users with passwords set to never expire by using the same LDAP query in Active Directory Administrative Center (ADAC)ÂťGlobal SearchÂťConvert to LDAP option. However, ADAC does not provide options to add custom columns or export the results, whereas ADUC allows both.

List Users With Password Never Expires in AD Using PowerShell

Active Directory Permission Required
Accounts Operator Least Privilege
Administrators Most Privilege
  • Import the Active Directory module using the cmdlet below.
  • Windows PowerShell Windows PowerShell 
     Import-Module ActiveDirectory
  • Then, execute the following cmdlet to list all users with the password never expire setting enabled in your Active Directory.
  • Windows PowerShell Windows PowerShell 
     Get-ADUser -Filter * -Properties PasswordNeverExpires, PasswordLastSet, LastLogonDate | 
Where-Object { $_.PasswordNeverExpires -eq $true } | 
Select-Object Name, SamAccountName, UserPrincipalName, Enabled, PasswordNeverExpires, PasswordLastSet, LastLogonDate | 
Format-Table –AutoSize
  • This cmdlet fetches all users with passwords set to never expire, along with their name, SAM account name, UPN, account status, password last set, and last logon date & time.
List Users With Password Never Expires in AD Using PowerShell
  • Note: You can use the Download (⤓) option to export the users with never expire password report in different formats such as HTML, CSV, PDF, and more for offline access.
AdminDroid Active Directory Reporter

Improve Active Directory Password Hygiene with Complete Visibility

AdminDroid’s Active Directory reporting tool gives admins gain detailed insights into users with password expiry, accounts with password not required, expired passwords, and more. These insights help admins easily monitor password-related risks and prevent account compromise.

Spot Users Blocked from Changing Passwords to Reduce Access Interruptions

Locate users who cannot change their passwords and ensure their passwords are updated before expiry date to prevent account lockouts.

Find User with Old Passwords to Mitigate the Risk of Password Theft

Locate users with old password that increase the risk of account compromise, as these credentials are more likely to be exposed, reused, or guessed.

Notify Users to Renew their Never Expiring Password

Use the never-expiring password change reminder agent to remind users to rotate their credentials on schedule and reduce stale-password risks.

Get a Complete Overview of Active Directory Passwords in a Single Dashboard

Explore the Active Directory password dashboard for a comprehensive view of password-related details, including expiry status, current password state and more.

Track Password Policy Changes to Avoid Password Renewal Challenges

Review password policy changes in Active Directory to identify misconfiguration or conflicts that could disrupt password resets or scheduled rotations.

Monitor Account with No Password Required to prevent Unauthorized Access

Inspect accounts with no password required and enforce password creation to prevent any unauthenticated access to the domain.

Overall, AdminDroid Active Directory management tool provides a complete control over user account options in Active Directory. It also equips you with management actions such as resetting passwords, configuring logon hours, assigning group managers, and more to streamline administration and reduce operational overhead.

Explore a full range of reporting options
Download Live Demo

Important tips

Use smart card or certificate based authentication instead of relying solely on passwords to protect high-privileged admin accounts.

Restrict the 'Password Never Expires' setting to a controlled allow-list of essential service or application accounts, and keep a controlled allow-list to prevent its misuse.

Utilize Managed Service Accounts (MSA) instead of user accounts for automation and scheduled tasks to enforce automatic rotation of strong 240-byte passwords every 30 days.

Common Errors and Resolution Steps

The following are possible errors and troubleshooting hints when retrieving users with never expire password in Active Directory.

Error You have selected ‘Password never expires’. The user will not be required to change the password at next logon.

This error occurs when User must change password at next logon option is selected, when the Password never expires option is already in use.

Fix To resolve this error, select one option either User must change password at next logon or Password Never expires while changing the user account settings.

Error Set-ADDefaultDomainPasswordPolicy : A parameter is incorrect.

This error occurs when the password history count is set beyond its maximum allowed range while configuring the default domain password policy using PowerShell.

Fix To fix this error, make sure to use a value between 1 and 24 for the -PasswordHistoryCount parameter while configuring the default domain password policy using the PowerShell cmdlet below. 
Set-ADDefaultDomainPasswordPolicy -Identity "<DomainName>" -PasswordHistoryCount "<PasswordReuseCount>"

Error Set-ADUser : Cannot find an object with identity: '<Identity>' under: '<DomainName>'.

This error appears when the -Identity value does not match any existing user in Active Directory.

Fix Replace <Identity> with the user’s unique identifiers like distinguished name/object GUID/object SID/SAM account name and run the cmdlet below. 
Set-ADUser -Identity "<Identity>" -PasswordNeverExpires $False

Error Set-ADDefaultDomainPasswordPolicy : Insufficient access rights to perform the operation.

This error appears when your account lacks the necessary permissions to configure the default domain password policy in Active Directory.

Fix To troubleshoot this error, ensure your account is assigned the appropriate rights, such as membership in Domain Admins or Enterprise Admins.

1. How to set passwords to never expire for users in Active Directory?

While Active Directory allows passwords to be set to never expire, this configuration should be avoided for standard user accounts due to the security risks it introduces. It is intended primarily for service accounts and select system-level accounts to support essential operations.

When this setting is legitimately required, you can follow the steps below to enable password never expires for a user.

Set password never expire for AD users using ADUC

  • Open Server Manager and click on Tools Âť Active Directory Users and Computers.
  • Navigate to the relevant OU or container.
  • Double-click the target user account and go to the Account tab.
  • Select the Password never expires checkbox, then click Apply and OK to save the changes.
set-password-never-expire-in-aduc

Enable password never expire for users using PowerShell

To configure a user account with a non-expiring password, use the cmdlet below, substituting <Identity> with any of these attributes: Distinguished Name, Object GUID, Security Identifier (SID), or SAM account name.

Set-ADUser -Identity "<Identity>" -PasswordNeverExpires $true

Easily assign users with the password never expires in just a few clicks!

  • With AdminDroid, you can directly enable “Password Never Expires” for a user using the Update User Properties management action.
  • In the Update User Properties fly-out pane, select the desired user. Then, choose Password Never Expires from the Select Property drop-down and set it to Yes.
  • Then, click Execute to apply the changes.
set-never-expiring-password-in-droid

2. How to prevent password reuse in Active Directory?

Users often reuse their previous passwords when updating their credentials in Active Directory. This weakens security and increases the risk of compromise.

To prevent this, admins can enforce password history policies that remember a specified number of previous passwords and block their reuse. This ensures that users create a unique password whenever they change it.

Configure enforce password history policy in Active Directory

  • In the Group Policy Management Console (GPMC), expand the domain, right-click on Default Domain Policy and select Edit.
  • Navigate to Computer Configuration Âť Policies Âť Windows Settings Âť Security Settings Âť Account Policies Âť Password Policy
  • Double-click Enforce password history, and in the Security Policy Setting tab, select the Define this policy setting checkbox.
  • Set a value between 1 and 24 to specify how many past passwords users are not allowed to reuse.
enforce-password-history-in-gpo

Set password history policy in Active Directory Using PowerShell

Rather than navigating through GPMC, you can simply run the cmdlet below to change the default domain policy and specify how many previous passwords the domain should remember.

Set-ADDefaultDomainPasswordPolicy -Identity "<DomainName>" -PasswordHistoryCount "<PasswordReuseCount>"

Note: Replace <DomainName> with the name of your domain and <PasswordReuseCount> with number of passwords to be remembered.

3. How to disable never expire password for users in the Active Directory?

For user accounts, setting the password to never expire creates a security vulnerability, making them valuable targets for lateral movement after a compromise. While this setting is essential for service accounts to perform necessary operations, it must be disabled for all user accounts to avoid persistent access by attacker. Therefore, disabling "password never expires" option for users will improve their overall account protection.

Therefore, disabling "password never expires" option for users will improve their overall account protection.

Disable password never expire for a user in Active Directory

  • In the ADUC console, browse through the relevant containers or OUs to locate the desired user account.
  • Select the user and right-click on the user account and click on Properties.
  • Navigate to the Account tab and click on Password never expires option in the Account options.
  • If the option is enabled uncheck the Password never expires checkbox and Click on Apply and select OK.
disable-never-expire-option-for-user-in-ad

Bulk remove password never expire for users using PowerShell

Manually going through each user account to disable the “password never expires” option is a tedious and time-consuming task. This is why PowerShell is used to efficiently disable the setting for multiple users at once.

  • To proceed, prepare a CSV or TXT file containing a unique identifiers like distinguished name/object GUID/object SID/SAM account name of each user as shown here.
  • Then, replace the <FilePath> in the cmdlet below and execute it to disable never expire password for the list of target users.
unique-identifiers-users-list 
Import-Csv "<FilePath>" -header ‘Identity’ | ForEach-Object { 
$User = Get-ADUser -Identity $_.Identity -Properties PasswordNeverExpires, Enabled 
     if ($User.PasswordNeverExpires -and $User.Enabled) { 
         Set-ADUser -Identity $_.Identity -PasswordNeverExpires $false 
         Write-Host "Password never expire is removed for $($_.Identity)" 
     } 
     else { 
         Write-Host "Password never expire is already disabled for $($_.Identity)" 
    } 
}
bulk-remove-never-expire-password-in-ad

Kickstart Your Journey With
AdminDroid

Your Microsoft 365 Companion with Enormous Reporting Capabilities

Download Now
Browse All Guides
User Help Manuals Compliance Docs
All Guides 99+
Active Directory
How To Get All Users with Password Never Expires in Active Directory
Active Directory Guides
x
Delivering Reports on Time
Delivering Reports on Time
Want a desired Microsoft 365 reports every Monday morning? Ensure automated report distribution and timely delivery with AdminDroid's Scheduling to your email anytime you need.
Delivering Reports on Time
Schedule tailored reports to execute automatically at the time you set and deliver straight to the emails you choose. In addition, you can customize report columns and add inteligent filtering to the activities just from the previous day to suit your Microsoft 365 report requirements.
Set It, Schedule It, See Results- Your Reports, Your Way, On Your Time!
Time Saving
Automation
Customization
Intelligent Filtering
Give Just the Right Access to the Right People
Give Just the Right Access to the Right People
Grant fine-tuned access to any Microsoft 365 user with AdminDroid’s Granular Delegation and meet your organization’s security and compliance requirements.
Give Just the Right Access to the Right People
Create custom roles loaded with just the right permissions and give access to admins or normal users within AdminDroid. The result? A streamlined Microsoft 365 management experience that aligns your organization's security protocols and saves your invaluable time and effort.
Align, Define, Simplify: AdminDroid's Granular Delegation
Smart Organizational Control
Effortless M365 Management
Simplified Access
Advanced Alerts at a Glance
Advanced Alerts at a Glance
Receive quick notifications for malicious Microsoft 365 activities. Engage with the AdminDroid’s real-time alert policies crafted to streamline your security investigations.
Advanced Alerts at a Glance
Stay informed of critical activities like suspicious emails and high-risk logins, bulk file sharing, etc. Through creating and validating ideal alert policies, AdminDroid provides a comprehensive approach to real-time monitoring and management of potential threats within your organization.
AdminDroid Keeps You Always Vigilant, Never Vulnerable!
Proactive Protection
Real-time Monitoring
Security Intelligence
Threat Detection
Merge the Required Data to One Place
Merge the Required Data to One Place
Combine multiple required columns into one comprehensive report and prioritize the information that matters most to you with AdminDroid’s Advanced Column Customization.
Merge the Required Data to One Place
This column merging capability offers a flexible way to add different columns from various reports and collate all the essential data in one place. Want to revisit the customized report? Save it as a 'View’, and your unique report is ready whenever you need it.
Merge with Ease and Save as Views!
Custom Reporting
Unique View
Desired Columns
Easy Data Interpretation
Insightful Charts and Exclusive Dashboards
Insightful Charts and Exclusive Dashboards
Get a quick and easy overview of your tenant's activity, identify potential problems, and take action to protect your data with AdminDroid’s Charts and Dashboards.
Insightful Charts and Exclusive Dashboards
With AdminDroid charts and dashboards, visualize your Microsoft 365 tenant in ways you've never thought possible. It's not just about viewing; it's about understanding, controlling, and transforming your Microsoft 365 environment.
Explore Your Microsoft 365 Tenant in a Whole New Way!
Executive overviews
Interactive insights
Decision-making
Data Visualization
Efficient Report Exporting for Microsoft 365
Efficient Report Exporting for Microsoft 365
Downloading your reports in the right file format shouldn’t be a hassle with AdminDroid’s Report Export. Experience seamless report exporting in various formats that cater to your needs.
Efficient Report Exporting for Microsoft 365
Navigate through diverse options and export Microsoft 365 reports flawlessly in your desired file format. Tailor your reports precisely as you need them and save them directly to your computer.
Take Control, Customize and Deliver- Your Office 365 Data, Exported in Your Way!
Easy Export
Seamless Downloading
Data Control
Manage Microsoft 365

Get AdminDroid Office 365 Reporter Now!

Free Download Live Demo