How to track users accounts with Password never expires

As a security best practice it is recommended that users on a network create complex passwords and also change them periodically. Active Directory's password policies help administrators impose such password complexity requirements. With these complexity requirements in place, if a password is never set to expire, then administrators should analyze the reason behind it as it could be an incident.

'Password never expires' events are a threat because:

  • It could potentially mean an admin account has been compromised by an outsider or a malicious insider and they are making risky changes, such as changing the security settings, on the network.

  • Secondly, user accounts with passwords set to never expire is a low-hanging fruit for a brute force attacker, who has a much better chance at cracking the password as it never expires.

With native AD capability, the auditing of users with 'Password never expires', can be done by enabling Audit Policy and analyzing the generated logs using Windows Event Viewer.

Once the Audit Policy is in place, the Event Viewer records changes to the user account with a unique event ID, which can be inspected to find any users whose passwords settings were modified to 'Password never expires'. The administrator will have to go through all the logs on user account changes to find the ones in question.

Once the Audit Policy is in place, the Event Viewer records changes to the user account with a unique event ID, which can be inspected to find any users whose passwords settings were modified to 'Password never expires'. The administrator will have to go through all the logs on user account changes to find the ones in question.

This article compares the process of finding users with 'Password never expires' set in using native Active Directory tools and techniques and using ADAudit Plus. In both the cases, you need to enable auditing.

Download for FREE Free, fully functional 30-day trial
  • With Native AD Auditing

  • With ADAudit Plus

  • ADAudit Plus generates reports by processing information from the Event Viewer. To view the reports, open ADAudit Plus console and navigate to Reports > User Management > Password Never Expires Set Users report. This report lists the users that have their passwords set to never expire and more importantly, displays the users who initiated this change. Here, unlike in native AD auditing, the administrator does not have to go through several logs to find the events that indicate that this setting has been applied. . They also can find the user account which initiated the modification of the password settings. Here is a sample report:

Steps to Enable Audit Policy

  • Open Server Manager on your Windows server.

  • Under the Manage tab, click on Group Policy Management to open the Group Policy Management Console.

  • Navigate to Forest > Domain > Your Domain > Domain Controllers.

  • You can choose to either edit an existing group policy object or create a new one.

  • In the Group Policy Editor, navigate to Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration.

  • Expand the node and navigate to Audit Policy > Account Management > Audit User Account Management. Enable it for both 'Success' and 'Failure'.

  • Auditing 'Password never expires' event with native AD tools and techniques

  • Open Event Viewer to find the users who have 'Password never expires' set in their accounts.

  • Windows Event Viewer records all the changes to the objects in the directory for which auditing has been enabled. Every change is recorded as an event and is associated with a unique event ID.

  • To view the events, open Event Viewer and navigate to Windows Logs > Security. The pane in the center displays all the events that are being audited. Look for Event ID 4738 which indicates that a user account has changed.

    This image shows the event log filtered for event ID 4738.

  • Click on 'Filter Current Log' on the right pane to filter the events by event IDs, time range and a few other parameters. After the events have been filtered by event ID 4738, you can click on the logs for more details regarding the change. The administrator can read through the details of each log to find users who have passwords set to never expire.

Native auditing becoming a little too much?

Simplify Active Directory auditing and reporting with ADAudit Plus.

Get Your Free Trial Fully functional 30-day trial

Related How-tos

Request Support

Thanks

One of our solution experts will get in touch with you shortly.

    Please enter business email address
  •  
     
  • By clicking 'Send Request', you agree to processing of personal data according to the Privacy Policy.

© 2019 Zoho Corp. All rights reserved.