Powershell : Who has "Password does not Expire" set?


I got curious the other day and wondered about auditing the usage of the password does not expire option, that is this one here:


This will override your password policy and it will also override any FGPP (Fine Grain Password Policy) policy's set by the corporation, I usually see this when a lockout occurs and people can not trace the lockout so they set the "password not to expire" which is not the correct action from a security point of view.

This is the script that handles this option:

# Import the Active Directory module

Import-Module ActiveDirectory

# Define the OUs to exclude as an array
$excludedOUs = @(
    "OU=ExcludedOU1,DC=bear,DC=local",
    "OU=ExcludedOU1,DC=bear,DC=local",
    "OU=ExcludedOU1,DC=bear,DC=local"
)

# Get all users with 'PasswordNeverExpires' set to true
$usersWithPasswordNeverExpires = Get-ADUser -Filter {PasswordNeverExpires -eq $true -and Enabled -eq $true} -Properties PasswordNeverExpires, Enabled, DistinguishedName

# Function to check if a user is in any of the excluded OUs
function IsUserInExcludedOU {
    param (
        [string]$distinguishedName
    )

    foreach ($ou in $excludedOUs) {
        if ($distinguishedName -match [regex]::Escape($ou)) {
            return $true
        }
    }
    return $false
}

# Filter out users in the excluded OUs
$filteredUsers = $usersWithPasswordNeverExpires | Where-Object { -not (IsUserInExcludedOU $_.DistinguishedName) }

# Display the list of users
$filteredUsers | Select-Object Name, SamAccountName, DistinguishedName

If you then want to remediate this issue you can add this to the bottom of the script - that will unset the option for "Password never expires"

# Remove the 'PasswordNeverExpires' attribute for these users
foreach ($user in $filteredUsers) {
    Set-ADUser -Identity $user.SamAccountName -PasswordNeverExpires $false
    Write-Host "Updated user: $($user.SamAccountName) - PasswordNeverExpires set to false"
}

Previous Post Next Post

Ω†Ω…ΩˆΨ°Ψ¬ Ψ§Ω„Ψ§ΨͺΨ΅Ψ§Ω„