How to Get a List of AD Users Whose Passwords Never Expire Using PowerShell

You might have created Active Directory user accounts for which the passwords never expire. For example, you would always set the Password Never Expire attribute for user accounts that are utilized as service accounts, but you need to make sure that unwanted user accounts do not have the Password Never Expire attribute set. This is because, per security standards, every user is required to change his/her password within a certain time frame. For most organizations, every user is required to change his/her password within 90 days. You can use the following PowerShell commands and script to get a list of Active Directory users whose passwords never expire:

Search-ADAccount -PasswordNeverExpires -UsersOnly -ResultPageSize 2000 -resultSetSize $null | Select-Object Name, SamAccountName, DistinguishedName | Export-CSV “C:\Temp\PassNeverExpiresUsers.CSV” -NoTypeInformation

As you can see in the PowerShell command above, we use the PasswordNeverExpires switch that helps us query such users from Active Directory; the output is stored in the “C:\Temp\PassNeverExpiresUsers.CSV” file. If you wish to collect the same information from multiple Active Directory domains, you will use the PowerShell script that is describes later in this section. Please make sure to execute the script from a Windows Server 2012 or later operating system. The Active Directory forest name that is currently being used by the script is “Netwrix.Com.” You must change the Active Directory forest name in the $CurForestName variable before executing the script. Make sure to create a directory by naming it “C:\Temp” on the local computer. You must also utilize a user account that has permission to access all Active Directory domains. The only permission that you require is a user account with Read only permissions in the destination domain.

$DomList = "C:\Temp\DomList.TXT"
remove-item $DomList -ErrorAction SilentlyContinue
$GetForest=Get-ADForest $CurForestName
$Items = $R.Domains
ForEach ($Domains in $Items)
    Add-Content $DomList $Domain.Name
Write-Host "Starting Script..."
ForEach ($DomInFile in $DomList)
    $DisabledCompsCSV = "C:\Temp\DisabledAccounts_Computers_"+$DomInFile+".CSV"
    Remove-item $DisabledCompsCSV -ErrorAction SilentlyContinue
    $DisabledUsersCSV = "C:\Temp\DisabledAccounts_Users_"+$DomInFile+".CSV"
    Remove-item $DisabledUsersCSV -ErrorAction SilentlyContinue
    $InActiveUsersReport = "C:\Temp\InactiveUsers_"+$DomInFile+".CSV"
    Remove-item $InActiveUsersReport -ErrorAction SilentlyContinue

    Get-ADComputer -Server $DomInFile –Filter {(Enabled –eq $False)} –ResultPageSize 2000 –ResultSetSize $null -Properties Name, OperatingSystem | Export-CSV $DisabledCompsCSV -NoTypeInformation   
    Search-ADAccount -Server $DomInFile –AccountDisabled –UsersOnly –ResultPageSize 2000 –ResultSetSize $null | Select-Object SamAccountName, DistinguishedName | Export-CSV $DisabledUsersCSV –NoTypeInformation   
    Search-ADAccount -Server $DomInFile –AccountInActive –TimeSpan 90:00:00:00 –ResultPageSize 2000 –ResultSetSize $null | ?{$_.Enabled –eq $True} | Select-Object Name, SamAccountName, DistinguishedName | Export-CSV $InActiveUsersReport –NoTypeInformation

Write-Host "Script Finished collecting required information. Please check report files under C:\Temp folder"

Need more PowerShell scripts for Active Directory? Find all the top wanted PowerShell commands for Active Directory in one blog post.


Nirmal is an MCSEx3, MCITP, and he was awarded the Microsoft MVP award in Directory Services and Windows Networking. He specializes in PowerShell Scripting, Microsoft Azure, Office 365, Directory Services, Failover Clusters, Hyper-V, and System Center products.