This week's tip is by Roan Daley, a Premier Field Engineer at Microsoft.
Finding Active Directory objects that have Password Never Expires
As an Active Directory PFE, one of the issues I typically address with administrators is to identify objects (computers or users) that have Password Never Expires. From security perspective, this is considered a risk. For most environments, the easiest way to do this is to use the DS query command:
dsquery * domainroot -filter "(&(objectClass=user)(UserAccountControl:1.2.840.113522.214.171.1243:=65536))" -attr sAMAccountName userPrincipalName userAccountControl -d contoso.com
dsquery * domainroot -filter "(&(objectClass=computer)(UserAccountControl:1.2.840.1135126.96.36.1993:=65536))" -attr cn userAccountControl -d contoso.com
For Window 2008 R2 and above this is even easier with the advent of the Active Directory PowerShell Modules:
Search-ADAccount -PasswordNeverExpires | FT Name,ObjectClass -A
Search-ADAccount –PasswordNeverExpires - ComputersOnly | FT Name,ObjectClass –A
Hope these tips help with keeping you AD Clean!
About Roan Daley
Roan Daley is an Active Directory Premier Field Engineer (PFE) working at Microsoft.
The above tip was previously published in an issue of WServerNews, a weekly newsletter from TechGenix that focuses on the administration, management and security of the Windows Server platform in particular and cloud solutions in general. Subscribe to WServerNews today by going to http://www.wservernews.com/subscribe.htm and join almost 100,000 other IT professionals around the world who read our newsletter!
Mitch Tulloch is a twelve-time recipient of the Microsoft Most Valuable Professional (MVP) award and a widely recognized expert on Windows Server and cloud computing technologies. Mitch is also Senior Editor of WServerNews. For more information about him see http://www.mtit.com.