A standard check you should do when trying to improve the security posture of your Active Directory environment is to ensure that you have valid reasoning for any accounts which have passwords set not to expire. You should also ensure that any day-to-day accounts being used by users conform to your password policy and are not set to never expire.
In this tutorial I will show you how to use PowerShell to find all accounts which are set to not expire in Active Directory.
Find all users with passwords set never to expire
If you want to find a list of all user account whose password is set to never expire you can run the following script in PowerShell.
Start by opening PowerShell from a domain controller, this will ensure the necessary administration tools are already installed to run these commands.
Run the following command to view a list of all Active Directory users with the password set to never expire. This will show a result of the users name as well as whether the account is enabled or not, which is useful to know.
Get-ADUser -Properties PasswordNeverExpires | `
where {$_.passwordNeverExpires -eq "true" } | `
Select-Object Name,Enabled
Once you have this information, you should inform the user of your intentions before editing the properties on their account object and unchecking the box to allow their password to expire.
Find all admin users with passwords set never to expire
In larger environments, it can often be difficult to differentiate between which accounts are regular user accounts and which accounts are admin accounts. Common Active Directory scanning tools like ‘Ping-Castle’ will also report on admin accounts that have their passwords set to not expire.
To find this information in PowerShell, we are going to include 2 filter clauses in our command when searching for our accounts:
- (AdminCount -eq 1) – This indicates the account is a privileged account.
- (AccountNotDelegated -eq $false) – This indicates that the account is not used for a service.
Run the below command you create a list of admin users accounts with the passwords set to never expire.
Get-ADUser -Filter {(AdminCount -eq 1) -and (AccountNotDelegated -eq $false)} `
-Properties PasswordNeverExpires | where {$_.passwordNeverExpires -eq "true" } | `
Select-Object Name,Enabled
There are many different security groups which may induce the AdminCount property of a user account to update to 1. These include:
- Account Operators
- Administrators
- Backup Operators
- Domain Admins
- Domain Controllers
- Enterprise Admins
- Enterprise Key Admins
- Key Admins
- Krbtgt
- Print Operators
- Read-Only Domain Controllers
- Replicator
- Schema Admins
- Server Operators