Locating users with non-expiring passwords

Locating users with non-expiring passwords

 

A bad habit of systems administrators is to configure accounts with non-expiring passwords. When you are upgrading from Server 2003, you’ve got an opportunity to do some spring cleaning, and that can involve finding all those accounts that are currently in the directory that are configured with non-expiring passwords.

Some of the worst offenders in this area are systems administrators themselves, who don’t actually want to go through the rigmarole of updating their password every few weeks like they expect ordinary users to.

You can find user accounts with non-expiring passwords by issuing the following PowerShell command:

Search-ADAccount -PasswordNeverExpires

If you want to output this to a scrollable dialog box, use the command

Search-ADAccount –PasswordNeverExpires | Out-Gridview

Once you have a list of accounts with non-expiring passwords, it is time to figure out if those accounts have justification for the non-expiring passwords.

Non-expiring service account passwords are another common habit. In some cases the product documentation requires you to configure a service account with a non-expiring password. If that’s the case, and you can’t migrate the account so that it becomes a group managed service account, then you should at least go to the trouble of ensuring that you’ve minimized the number of privileges assigned to the account.

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish