When working in IT, there is a common and great debate over whether it is better to set no password expiration or to expire the password after some time. Microsoft even warns against expiring passwords, and as any thoughtful admin knows, it leads to bad password habits. So the question is, how do you find out your organization’s policy regarding passwords and if everyone matches? Here is how to get a list of all users with Password Expires Never checked or visa versa. Then I will show you a script for setting all passwords to Never Expire.
- start with PowerShell
- Type in each command
- import-module ActiveDirectory
- get-aduser -filter * -properties Name, PasswordNeverExpires | where { $_.passwordneverexpires -eq “false” } | select-object distinguishedname,Name,Enabled | Export-csv %USERPROFILE%\desktop\pw_report.csv
- Hit enter and get all the info you need!
The output will be similar to this:
The next question is, how can you fix all those not the way you want them.
Set All Users in Domain To Password Never Expires Using PowerShell
- Start with an admin PowerShell
- type in the command (single line)
- Get-ADUser -Filter * | Set-ADUser -PasswordNeverExpires:$True
- hit enter
Again, I ran the command above to get the results and ensure it worked.
Get-ADUser -filter * -Properties Name, PasswordNeverExpires | where { $_.passwordNeverExpires -eq "false" } | Select-Object DistinguishedName,Name,Enabled | Export-csv %USERPROFILE%\Desktop\pw_status-true.csv -NoTypeInformation
You can also play with the filters a bit to limit your search by all types of criteria. Since we are already looking at password options, let me show you something about the password policy.
How To Set Password Policy in Active Directory
I will make more articles on how to do these things using PowerShell soon. I’ve already started it, but there is a lot to digest.
First, if you are unsure about your action before you do it, please consider the headache you might cause yourself with IT complaints and commotion. You will likely suffer if you do not adequately alert people to policy changes that affect daily computer use.
We can get away with not alerting about the password never expires action because it is best practice according to Microsoft, and people will find that type of change positive. However, setting complex passwords tends to get people up in arms, so consider the ramifications of what you do and the power you wield.
Group Policy Management Console is the quickest way to set the password requirements.
You can get here by clicking the Server Manager window to open Group Policy Management. Click your way down through the domain you want to edit until you get to the section called “Group Policy Objects in domain.local” from there, you will right-click on Default Domain Policy, which will open the Group Policy Management Editor.
You can also click the start menu and try typing in MMC; this is what I do, but I’m not sure if that works on all machines or not.
Once in the Group Policy Management Editor, click your way down Computer Configuration > Policies > Security Settings > Password Policy.
In most cases, you are likely looking to set this requirement:
But there are several other options here that you can edit as well. If you have set the password never to expire, you should disable the Minimum and Maximum password age policies.
Leave me a comment if you want a breakdown or want to see how to make another script. Scripting on your AD setup can make your life easier and should be a requirement. I plan to publish several of these tips and tricks as I work through my notes, and I hope it helps you run your IT a little better!