Wednesday, April 4, 2012

Powershell: What AD accounts are set to never expire?

Here's a quick Powershell script that just came in handy for me recently. I was trying to find what users on our domain were given an exception to our password expiration policy and were set to never have their password expire.

Obviously, going manually through AD checking every account tab of every user is just not feasible. Luckily, Powershell has a quick and easy solution. You can use the Search-ADAccount cmdlet and pipe it out to a text file for easy viewing or exporting to a spreadsheet.

You will first need to install the Active Directory Module for Windows PowerShell. This set of tools is part of the Remote Server Administration Tools which must be installed separately on your Windows 7 box.

If you do not already have it installed, you can download it from Microsoft. Once you have that package installed you still need to enable the tool.

To enable the tool, click Start, then type Windows features and then hit Enter. Once the Windows Features window is loaded, navigate to the Remote Server Administration Tools and enable the Group Policy Management Tools. 

Next open your Start Menu and select Windows PowerShell Active Directory Module.
Type the following:

Search-ADAccount -PasswordNeverExpires | FT Name, ObjectClassUserPrincipalName | Out-File c:\yourdirectory\neverexpire.txt

And that's it. I reccomend saving this script for situations where multiple people may be editing Active Directory and stray clicks or sneaky admins might change a users account.

No comments:

Post a Comment