I am trying to list all users that have the PasswordNeverExpires flag set.
If I use
Get-ADUser
I get a list of all users in my domain, along with a load of default properties.
If I use
Get-ADUser -Filter * -Properties Name | Format-Table -Property Name -AutoSize
I also get a list of all usernames in my domain, as a table.
When I use
Get-ADUser -Filter * -Properties Name,PasswordNeverExpires | Format-Table -Property Name,PasswordNeverExpire
I get a table that contains a full list of usernames, but ONLY the following accounts have either True or False in the PasswordNeverExpires column
Guest
krbtgt
Administrator
SBSMonAcct
Network Administrator
<MyDomainAdminAccount>
SPSearch
<AnAdministratorAccountForOneOfOurSoftwareVendors>
<AnAccountThatWasCopiedFromTheDomainAdministratorAccount>
<AnotherAccountCopiedFromTheDomainAdministratorAccount>
All the other items/usernames in the table have empty/blank/non-existent values.
I have also tried
Get-ADUser -LDAPFilter "(&(!userAccountControl:1.2.840.113556.1.4.803:=2)(userAccountControl:1.2.840.113556.1.4.803:=65536))"
but that only returns
<MyDomainAdminAccount>
SPSearch
Why is the PasswordNeverExpires flag not being picked up for all users? Thanks.
PasswordNeverExpires is calculated from the userAccountControl attribute.
Probably the fastest way to search for users that have that flag set is as follows:
Get-ADUser -LDAPFilter "(userAccountControl:1.2.840.113556.1.4.803:=65536)" -Properties PasswordNeverExpires
See the documentation for more information on searching using a bitwise filter. 65536 (0x10000) corresponds to the ADS_UF_DONT_EXPIRE_PASSWD bit position, so this LDAP search filter searches only for accounts that have that flag set.