How to set an AD password to never expire using PowerShell
How to enable password never expires in PowerShell
The PasswordNeverExpires attribute in Active Directory (AD) is a boolean setting that prevents a user’s password from expiring, even when domain password age policies are configured. When set to $true in PowerShell, the account is excluded from standard password expiration rules.
This setting is commonly used for service accounts, kiosk systems, and legacy applications that require uninterrupted access. However, enabling AD password never expires in PowerShell can increase security risks because passwords remain unchanged indefinitely. Organizations should weigh the convenience against security best practices—compared to using password expiration notification systems or managed service accounts, the PasswordNeverExpires attribute trades security for operational simplicity.
Administrators typically set AD passwords to never expire using PowerShell cmdlets such as Get-ADUser (to query the PasswordNeverExpires attribute) and Set-ADUser (to configure it). In Microsoft Entra ID, the equivalent setting is DisablePasswordExpiration, which must be applied per user via Set-AzureADUser.
Prerequisite: Import the Active Directory PowerShell module
1. Install the Active Directory PowerShell module
To set an AD password to never expire, ensure that the Active Directory PowerShell module is installed. Installation steps vary by operating system and version.
For Windows 11 and Windows 10 (version 1809 and later), use the following PowerShell script:
After installation, enable the Active Directory Domain Services and Lightweight Directory Services Tools feature via: Control Panel > Programs > Turn Windows features on or off > Remote Server Administration Tools. This manually activates the AD module through Windows optional features since the cmdlet-based installation is not available on these versions.
For Windows Server 2012 R2 and later (including 2016, 2019, 2022, 2025), use the following PowerShell script:
Install-WindowsFeature RSAT-AD-PowerShell
Install-WindowsFeature: Installs one or more Windows Server roles, role services, or features on a local or remote server.
RSAT-AD-PowerShell: Specifies the feature name for the Remote Server Administration Tools Active Directory PowerShell module.
For Windows Server 2008 R2, enter the following scripts in PowerShell:
Install the ServerManager module (Windows Server 2012 R2 and later).
Import-Module ServerManager
Import-Module: Loads a module into the current PowerShell session, making its cmdlets and functions available for use.
ServerManager: Specifies the name of the module to load, which enables server role and feature management cmdlets.
Install the Windows Server roles.
Add-WindowsFeature RSAT-AD-PowerShell
Add-WindowsFeature: Installs one or more Windows Server roles, role services, or features; this is the predecessor to Install-WindowsFeature on Windows Server 2008 R2.
RSAT-AD-PowerShell: Specifies the feature name for the Active Directory PowerShell tools on Windows Server 2008 R2.
2. After installation, import the ActiveDirectory module
Import the module:
Import-Module ActiveDirectory
Import-Module: Loads a module into the current PowerShell session, making its cmdlets and functions available for use.
ActiveDirectory: Specifies the name of the module to load into the current PowerShell session.
Check if the module is installed:
Get-Module -ListAvailable ActiveDirectory
Get-Module: Retrieves a list of modules that have been imported or are available to be imported into the current session.
-ListAvailable: Returns all modules installed on the system, regardless of whether they are currently loaded.
ActiveDirectory: Filters the results to only show modules matching this name.
Veify the module loaded successfully:
Get-Command -Module ActiveDirectory
Get-Command: Retrieves all commands available in the current PowerShell session, including cmdlets, functions, aliases, and scripts.
-Module ActiveDirectory: Restricts the output to only cmdlets and functions belonging to the Active Directory module.
If PowerShell returns a module not found error, verify that RSAT is installed and use Windows PowerShell 5.1, since the Active Directory module has limited compatibility with PowerShell 7.x.
How to use Get-ADUser to identify users whose password never expire
To find all AD users with the PasswordNeverExpires attribute enabled, use the following PowerShell script:
$Username: Stores the entered username into a variable.
Read-Host -Prompt: Prompts the operator to enter a username at runtime.
$User — Stores the retrieved AD user object into a variable.
Get-ADUser — Retrieves the target AD user object.
-Properties pwdLastSet: Retrieves the pwdLastSet attribute beyond the default properties.
$User.pwdLastSet = 0: Sets the pwdLastSet value to 0, which forces an immediate password expiry.
Set-ADUser -Instance $User: Applies the modified user object back to AD.
$User.pwdLastSet = -1: Resets the pwdLastSet value to the current date and time, effectively refreshing the password age.
Set-ADUser -Instance $User: Applies the final updated user object back to AD.
Note: The two-step process of first setting pwdLastSet to 0 and then to -1 is required because AD does not allow a direct update to -1 without first clearing the value. Setting it to 0 flags the password as expired, and setting it to -1 instructs AD to reset the timestamp to the current date and time.
Setting DisablePasswordExpiration in Microsoft Entra ID
In Microsoft Entra ID, the cloud equivalent of the on-premises PasswordNeverExpires attribute is the DisablePasswordExpiration password policy. While DisablePasswordExpiration was historically managed through the AzureAD PowerShell module, Microsoft has deprecated the AzureAD module in favor of the Microsoft Graph PowerShell SDK, which is now the recommended approach for managing DisablePasswordExpiration and all Microsoft Entra ID user policies in modern environments.
The scripts below cover both the legacy AzureAD module and the current Microsoft Graph equivalent for reference.
1. Connect to Microsoft Graph
To connect to Microsoft Graph with the required permissions for managing password policies, use the following PowerShell script:
Connect-MgGraph -Scopes "User.ReadWrite.All"
Connect-MgGraph: Authenticates and establishes a session with Microsoft Graph.
-Scopes: Specifies the permissions required for the session.
User.ReadWrite.All: Grants permission to read and modify user objects in Microsoft Entra ID.
2. Set DisablePasswordExpiration for a user
To apply the DisablePasswordExpiration policy to a specific Microsoft Entra ID user, use the following Microsoft Graph PowerShell script:
Update-MgUser: Modifies an existing Microsoft Entra ID user object via Microsoft Graph.
-UserId: Specifies the target user by UPN or object ID.
-PasswordPolicies: Sets the password policy assigned to the user.
DisablePasswordExpiration: Disables password expiration for the specified user.
3. View users with DisablePasswordExpiration enabled
To retrieve all Microsoft Entra ID users with the DisablePasswordExpiration policy currently applied, use the following Microsoft Graph PowerShell script:
Get-ADUser: Retrieves one or more AD user objects based on specified filters or identity.
Select-Object: Selects specific properties from an object to include in the output.
Export-CSV: Exports objects to a CSV file, with each object represented as a row.
-Filter 'PasswordNeverExpires -eq $true': Filters the results to return only user accounts where the PasswordNeverExpires attribute is set to true.
-Properties PasswordNeverExpires,Enabled,LastLogonDate: Specifies additional user properties to retrieve beyond the default set returned by Get-ADUser.
PasswordNeverExpires: Indicates whether the user's password is set to never expire.
Enabled: Indicates whether the user account is active or disabled.
LastLogonDate: The date and time the user last logged into the domain.
Name: The full display name of the user account.
SamAccountName: The user's pre-Windows 2000 logon name, commonly used as the username.
-NoTypeInformation: Omits the type information header line from the CSV output, producing a cleaner file.
The exported report can help identify stale service accounts, unmanaged privileged accounts, and accounts that may violate organizational password policies.
Simplify password expiration management with ManageEngine ADSelfService Plus
While PowerShell can be used to configure and audit the PasswordNeverExpires attribute, organizations also need tools to reduce password-related support issues and strengthen password security.
ManageEngine ADSelfService Plus helps organizations manage password expiration proactively with features such as:
Password expiration reminders: Notify users automatically before their passwords expire through email, SMS, or push notifications. Notifications can be customized based on domains, OUs, and groups to reduce last-minute password resets and account lockouts.
Self-service password resets: Enable users to securely reset forgotten or expired passwords without contacting the help desk. This reduces support tickets and helps users regain account access faster.
Password policy enforcement: Strengthen AD password security with advanced password policies, including dictionary restrictions, breached-password blocking, pattern enforcement, and custom complexity requirements that go beyond native AD capabilities.
Together, these features help organizations reduce dependency on non-expiring passwords, improve compliance, and simplify password life cycle management.
FAQs
1. What are the security risks of setting password never expires?
Accounts with passwords that never expire are more vulnerable to credential theft, brute-force attacks, and password reuse risks. This setting should typically be limited to service accounts and non-interactive systems.
2. How do I audit which service accounts have the PasswordNeverExpires attribute?
A. Follow the steps below to identify accounts with the PasswordNeverExpires attribute enabled:
Open Active Directory Users and Computers and navigate to the OU containing service accounts.
Check the Account tab of each user object for the Password never expires option.
Review LastLogonDate to identify stale or orphaned accounts.
Verify each account has a named owner and a valid business justification for the setting.
Ensure no service accounts are members of privileged groups such as Domain Admins or Enterprise Admins.
3. Can I audit PasswordNeverExpires for users in a specific OU?
You can combine this with -SearchBase to audit specific OUs containing service accounts.
4. Does PasswordNeverExpires override Group Policy password age settings?
Yes. When PasswordNeverExpires is enabled for a user account, it overrides the domain’s maximum password age policy configured through Group Policy and Fine-Grained Password Policies.
Notify Active Directory users about password expiration.
