Home » Blog » Active Directory » Get List of Users with Password Never Expires

Get List of Users with Password Never Expires

author
Published By siddharth
Anuraag Singh
Approved By Anuraag Singh
Published On October 1st, 2024
Reading Time 7 Minutes Reading
Category Active Directory

Don’t delay if you want to get list of users with Password Never Expires in Active Directory. As longer you wait the greater the risk of security breaches. Non-expiring user passwords are one of the top security vulnerabilities inside any AD. So its identification and rectification must be done ASAP.

That is why here we have put together quite a few strategies that can help you get the data ASAP. You may be logged into the AD workstation, luckily there are some inbuilt solutions present right there that can help you. So lets start from there.

Traditional Way to Get AD User Whose Password Never Expires

These are the very own solutions that admins use to perform a password change audit in the Active Directory so getting a list of users with non-expiring passwords is no big deal.

  • Open ADUC
  • Click on the Liter icon on the Toolbar.
  • Toggle the custom filter radio button and click on Customize…
  • Inside the new window change the tab to advance and Paste the following LDAP filter.
  • (&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536))
  • Press OK twice once to close the Custom Filter option then to close the Filter option.

Now you will see that every result that is not a user with perpetual passwords is hidden away

This filter makes it easier for admins to locate the user objects when they scour through each and every OU.

Although ADUC allows for an in-built exporting option, admins may find it problematic to first scan every OU and then end up with multiple CSVs.

One positive outcome is that there won’t be any duplicate entries as a user can only belong to a single OU at a time. However, this is of little help as admins still have to spend a lot of time accumulating all CSVs together.

A similar method is available via ADAC with one key advantage that is you need not shuffle through the various containers to form a complete list. Here are the steps.

  • Launch the Administrative Center
  • Click on Global Search
  • Toggle the “Convert to LDAP” option
  • Paste “(&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536))”
  • Click on Apply
  • Select All results
  • Press Ctrl + C
  • Open Notepad (or other
  • Press Ctrl + V

Use ADAC to Get List of Users with Password Never Expires

Now you have a list of all those users whose passwords are never going to expire. The list you have is in plain text format to change it into CSV, you need to perform manual editing.
Both GUI methods that are available inside the AD itself have some or other problems that cause unnecessary delays. A faster way would be to deploy code-based alternatives, so let’s see how.

Query Methods to List Users in Active Directory Whose Password Never Expires

Net user command

  • Press Windows + R
  • Type cmd
  • Press Enter
  • Wait for the console to show up
  • Type cls to clear the screen
  • Enter
net user %username% /domain | findstr “Password expires”

You will find a few other attributes listed in the result; this is due to the query’s inability to perform an exact string search. Nonetheless, results are reduced to show the most prominent and related attributes only.

The %username% variable is a placeholder and, if used in its current form, will show the details for the currently logged-in user. If you are unsure whether a particular user has a non-expiring password, make a list of all users for that type

net user /domain

To get a list of all available users, then substitute %username% with the user name you want to check.

This method takes away the one critical advantage command line methods have over the regular GUI i.e. speed. If the admin has to manually replace the name every time they want to use the query for a new user. If your AD has just a few users this is not a big issue. However, when there are hundreds or thousands of users then this method is not practical.

So instead, what you can do is apply the dsquery alternative. You need not go anywhere else. In the same console, type cls and press enter.

Then put in this query

dsquery * -filter "(userAccountControl:1.2.840.113556.1.4.803:=65536)" -attr name

We use such a complex numerical filter as there is no explicit Non Password Expiring Attribute we can call directly.
The password never expires flag is stored inside the userAccountControl attribute with 65536 as the equivalent integer value.

Despite the complex nature, it will perform the necessary tasks in a better way by listing out accounts all at once.

PowerShell Script to Get AD User Whose Password Never Expires

Open a PowerShell instance and put in this code:

Get-ADUser -Filter 'PasswordNeverExpires -eq $true' | Select-Object Name, @{Name='Password Never Expires';Expression={'True'}}

You can apply secondary modifications, including more attributes, like when the user first logged in, how often the user logs in, and what resources they used in the last login session.


Then export the results in a CSV format this report can act as an important deciding factor to see if there is a need to reset user password in Active Directory or not.

However, adding extra features makes the script too bloated, and it may shift the way of delivering inconsistent results. So admins would have to spend more time fixing the script than using it for what it’s made.
Admins can bypass all these limitations if they rely on a capable solution instead. You need not go anywhere else, as we have the right tool right here.

Best Way to Get Active Directory Users Whose Password Never Expires

SysTools Active Directory Reporting Tool has a built-in filter for this exact scenario. All admins have to do is set up the tool, and it will handle the rest.

The best part is that the tool can be used remotely from any workstation with a simple one-click admin validation. Not only that but, this tool can also give you the ad computer account password expiration date as well.

The tool can be used in a few easy steps, as shown below.

  • Start by installing, then wait for the default credentials to fill up the screen and press the login button.
  • Use the REGISTER DOMAIN CONTROLLER icon to add your AD.
  • Type a suitable friendly name for your domain followed by its respective IP address in the space.
  • Move on to the Domain Details section, where you perform the actual admin validation.
  • Once done, click on Reports to open the section.
  • You will find a filter with the name “password never expires” under the User workload. Click on it.
  • The Report Formation screen opens up.
  • Use the Date Picker if available, then click on the Preview button to generate a view-only list of AD users whose password never expires.
  • To get a CSV format copy of the list, toggle the Download option and Hit CSV. Save the report on your workstation.

Conclusion

Now admins no longer have to struggle with how to get a list of users with password that never expires. Here we taught users how to use PowerShell, and other command-line methods to get the data. Moreover, the discussion also went over the default utilities available inside the Active Directory itself. To top all of it we gave instructions on how to use modern software for such reporting purposes and provided the reasons for using it over the rest of the methods.

 

Connect With Us

+9111-28084986