If you are running Service Accounts, having them not expire is something many admins want set because some applications stop working that use them if the password keeps changing. Applications such as System Center Configuration Manager (SCCM) or System Center Operations Manager (SCOM) as two examples of this.

You may find that a senior exec or manager complains they have to constantly update their Active Directory Password and eventually you enable the checkbox to set it to never expire and forget about it.

I put together a simple script that will go and pull all accounts in Active Directory and output it onto the screen. Below is the output from the script:

Output of all accounts that are set to never expire in Active Directory


The script Imports the Active Directory Module so you can run it from PowerShell or PowerShell ISE, below is the script:

# Import the Active Directory module
Import-Module ActiveDirectory

# Get all user accounts with passwords set to never expire
$neverExpireAccounts = Get-ADUser -Filter {PasswordNeverExpires -eq $true} -Properties DisplayName, UserPrincipalName, DistinguishedName

# Display the results
$neverExpireAccounts | Select-Object DisplayName, UserPrincipalName, DistinguishedName

You can modify the script to export to a CSV file if you need to.

Hope it helps


    Discover more from Everything-PowerShell

    Subscribe now to keep reading and get access to the full archive.

    Continue reading