Active Directory Friday: Find users with password never expires

Having password set to never expires might be something that is not allowed by your IT policy, or perhaps you would like to get some insight about how widespread this setting is in your domain. In order to find accounts the Search-ADAccount cmdlet can be used. In order to find all user accounts that do have the password never expires option enabled the following code can be used:

1
Search-ADAccount -UsersOnly -PasswordNeverExpires

Alternatively the Get-ADObject cmdlet can also be used in combination with an LDAP filter to filter out the user accounts and the password never expires option. To filter out user accounts we should filter the following: ‘(objectCategory=person)(objectClass=user)‘. To search for password never expires the following filter is used: ‘(userAccountControl:1.2.840.113556.1.4.803:=65536)‘. Combined that gives us the following code:

1
Get-ADObject -LDAPFilter "(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536))"

It is of course also possible to do this using the DirectoryServices.DirectorySearcher. This time we use a slightly different LDAP filter, instead of filtering on ‘(objectCategory=person)(objectClass=user)‘ we filter on ‘(sAMAccountType=805306368)‘ which gives the same output but is a more efficient query. Also we set pagesize to 100 so we ensure that all results are displayed:

1
2
3
4
5
$ADSearcher = New-Object DirectoryServices.DirectorySearcher -Property @{
  Filter = '(&(sAMAccountType=805306368)(userAccountControl:1.2.840.113556.1.4.803:=65536))'
  PageSize = 100
}
$ADSearcher.FindAll()

And that is all that is required in order to find AD users with the password never expires option set, with or without the ActiveDirectory module.

Leave a Reply

Your email address will not be published.