JSI Tip 7549. How do I list accounts in my domain whose password is set to never expire?

Using DSQUERY and DSGET, I have scripted PwdNeverExpires.bat to display the Distinguished Name (DN) of all domain user accounts whose password is set to never expire. The PwdNeverExpires.bat script does NOT report accounts that are disabled.

The syntax for using PwdNeverExpires.bat is:


The output is displayed on the CMD console, but you can pipe it to a file using the following syntax:


You can use the output in subsequent commands, as in:

for /f "Tokens=*" %%i in ('PwdNeverExpires') do SomeCommand %%i

NOTE: See How do I list accounts in my domain that have NOT changed their password in nnn days?

NOTE: See How can I report all inactive user accounts, and optionally disable them?

PwdNeverExpires.bat contains:

@echo off
if exist "%TEMP%\PwdNeverExpires.tm1" del /q "%TEMP%\PwdNeverExpires.tm1"
if exist "%TEMP%\PwdNeverExpires.tm2" del /q "%TEMP%\PwdNeverExpires.tm2"
set getit=dsquery user domainroot -name * -limit 0
for /f "Tokens=*" %%u in ('%getit%') do set UDN=%%u&call :pwdne
if not exist "%TEMP%\PwdNeverExpires.tm1" endlocal&goto :EOF
sort "%TEMP%\PwdNeverExpires.tm1" /O "%TEMP%\PwdNeverExpires.tm2"
type "%TEMP%\PwdNeverExpires.tm2"
del /q "%TEMP%\PwdNeverExpires.tm1"
del /q "%TEMP%\PwdNeverExpires.tm2"
goto :EOF
for /f "Skip=1 Tokens=1-2" %%i in ('dsget user %UDN% -pwdneverexpires -disabled') do (
 if /i "%%i" NEQ "dsget" call :report %%i %%j
goto :EOF
if /i "%1" NEQ "yes" goto :EOF
if /i "%2" EQU "yes" goto :EOF
@echo %UDN%>>"%TEMP%\PwdNeverExpires.tm1"

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.