Home
PowerShell
List AD users with Password Never Expires

How to get a list of Active Directory users with passwords that never expire using PowerShell

In PowerShell, the Get-ADUser cmdlet is used with a filter for the PasswordNeverExpires property to list Active Directory (AD) users whose passwords never expire. This is important for security and compliance, as accounts with non-expiring passwords can pose major risks. By identifying them, admins can take the necessary steps to configure password expiration.

While PowerShell helps admins with tasks like these, it requires scripting knowledge, careful filtering, and manual exporting for further analysis. In contrast, ManageEngine ADManager Plus, a web-based AD management and reporting tool, helps you generate this report in a few clicks.

Getting AD users with passwords that never expire

The table below lists the steps to list AD users with passwords that never expire using PowerShell and ADManager Plus.

Windows PowerShell

Prerequisites

Import the AD module (if not done already) using this command:


												Import-Module ActiveDirectory

Using the Get-ADUser cmdlet to list users with PasswordNeverExpires property

Run the command below to get all users whose passwords never expire. This outputs a table with user names, their SAM account names, and the relevant attribute.


												Get-ADUser -Filter 'PasswordNeverExpires -eq $true' -Properties PasswordNeverExpires | 

												Select-Object Name, SamAccountName, PasswordNeverExpires

ADManager Plus

To import users using ADManager Plus:

Log in to ADManager Plus and navigate to the Reports tab > Password Reports.
Under General Password Reports, select Users with Password Never Expires.
Select the domain and click Add OUs to select your preferred OUs.
Click Generate.

Start your free trial

What's next? Configure password expiration for your users by following these steps.

Example use cases and scripts for password expiration tasks

Example 1: List all AD users whose passwords never expire and export results to CSV


                                    Get-ADUser -Filter 'PasswordNeverExpires -eq $true' -Properties PasswordNeverExpires | 

									Select-Object Name, SamAccountName, PasswordNeverExpires | 

									Export-Csv -Path "C:\ADUsers_PasswordNeverExpires.csv" -NoTypeInformation

Example 2: Check if a specific account's password is set to never expire


                                    Get-ADUser -Identity <username> -Properties PasswordNeverExpires | Select-Object SamAccountName, PasswordNeverExpires

Example 3: Listing users using the Search-ADAccount cmdlet


                                    Search-ADAccount -PasswordNeverExpires | Where-Object {$_.Enabled -eq $true} | Select-Object Name, Enabled

Supported parameters

The following are essential parameters to perform password expiration tasks in PowerShell:

Parameter	Description
-Filter	Finds users matching password policy conditions.
-Properties	Displays extended properties (PasswordNeverExpires).
-Identity	Checks a specific user by username or SamAccountName.
-Export-Csv	Used to export the report to a CSV file (not a cmdlet parameter, but used in the pipeline).
-Path	Output file path for exported report.

Limitations of using PowerShell to perform password expiration operations

Requires exact distinguished names and user identifiers, which can complicate bulk updates.
Scripting errors can affect large groups if not carefully filtered.
Lacks integrated scheduling, alerting, or rollback features, and all actions are manual.
Permissions must be delegated appropriately for technicians running scripts.

How ADManager Plus helps manage user passwords and other AD objects

ADManager Plus is a web-based AD and Microsoft Entra ID management and reporting tool that simplifies AD password management and more from a centralized interface:

Track password-expired users, password-changed users, logon failures, and more with AD password reports.
Customize and schedule reports for automatic delivery to stakeholders or auditors.
Perform AD user management actions, like removing or transferring members, directly from reports.
Export reports in multiple formats such as CSV, PDF, XLS, or HTML for easy sharing and compliance.
Avoid complex PowerShell scripts with intuitive, GUI-based bulk user and group management features.

Simplify AD management and reporting with ADManager Plus

Try it now for free

FAQs

You can check if a user's password is set to never by expire using the Get-ADUser cmdlet in PowerShell, with a filter for the PasswordNeverExpires property. Script-free tools like ADManager Plus help you identify AD users whose passwords never expire by generating or scheduling reports.

You can set AD users' passwords to never expire using PowerShell and GUI-based tools like Active Directory Users and Computers and ManageEngine ADManager Plus. View the detailed comparison steps here.

Related features:

Related Powershell Guides: