A bad habit of systems administrators is to configure accounts with non-expiring passwords. When you are upgrading from Server 2003, you’ve got an opportunity to do some spring cleaning, and that can involve finding all those accounts that are currently in the directory that are configured with non-expiring passwords.
Some of the worst offenders in this area are systems administrators themselves, who don’t actually want to go through the rigmarole of updating their password every few weeks like they expect ordinary users to.
You can find user accounts with non-expiring passwords by issuing the following PowerShell command:
Search-ADAccount -PasswordNeverExpires
If you want to output this to a scrollable dialog box, use the command
Search-ADAccount –PasswordNeverExpires | Out-Gridview
Once you have a list of accounts with non-expiring passwords, it is time to figure out if those accounts have justification for the non-expiring passwords.
Non-expiring service account passwords are another common habit. In some cases the product documentation requires you to configure a service account with a non-expiring password. If that’s the case, and you can’t migrate the account so that it becomes a group managed service account, then you should at least go to the trouble of ensuring that you’ve minimized the number of privileges assigned to the account.
