Friday, 20 March 2015

Powershell: Set AD Users Password Never Expires flag

We can set Active Directory user property values using Powershell cmdlet Set-ADUser. The Set-ADUser cmdlet modifies the properties of an Active Directory user. Normally, you can configure an AD user as password never expire user by setting the flag DONT_EXPIRE_PASSWORD (65536) in the AD user's userAccountControl attribute, but this Set-ADUser cmdlet supports the extended property PasswordNeverExpires, you can directly set value in this property and the cmdlet itself internally update the userAccountControl flag.

Powershell command to Configure Password Never Expires flag:

Set-ADUser -Identity <samAccountName> -PasswordNeverExpires $true
The Identity parameter specifies the Active Directory user to modify. You can identify a user by its samAccountName, distinguished name (DN), GUID and SID.

Modify AD Users from Specific OU:

You can select AD users from specific OU and set as password never expire users by using Get-ADUser and Set-ADUser cmdlets. You can set target OU scope by using the parameter SearchBase in Get-ADUser cmdlet. This following command select and set as password never expires flag of Active Directory users from the Organization Unit 'TestOU'.
Import-Module ActiveDirectory
Get-ADUser -Filter * -SearchBase "OU=TestOU,DC=TestDomain,DC=Local" |
  Set-ADUser -PasswordNeverExpires:$True

Update Specific set of AD Users with Filter:

You can filter sepecific set of AD users by using SQL like filter with Get-ADUser, users who are not familiar with LDAP filter can easily use this filter to get only specific set of AD users
Import-Module ActiveDirectory
Get-ADUser -Filter 'department -like "*Admin*"' |
  Set-ADUser -PasswordNeverExpires:$True
You can also use LDAP filter with Get-ADUser powershell cmdlet with more flexibility to filter Active Directory users.
Import-Module ActiveDirectory
Get-ADUser -LDAPFilter '(Department=*Admin*)' |
  Set-ADUser -PasswordNeverExpires:$True

Modify Bulk AD Users Password Never Expire flag from CSV:

You can read Active Directory from csv file using Powershell cmdlet Import-CSV. Consider the CSV file ADUsers.csv (Ex file: Download ADUsers.csv) which contains set of AD users with the attribute samAccountName.

Modify Bulk AD Users Password Never Expire flag from CSV file
Import-Module ActiveDirectory
Import-Csv "C:\Scripts\ADUsers.csv" | ForEach-Object {
 $samAccountName = $_."samAccountName"
Get-ADUser -Identity $samAccountName | 
 Set-ADUser -PasswordNeverExpires:$True

Modify specific AD Group Members:

You can set password never expires flag for only specific Active Directory group members by getting AD group members using Get-ADGroupMember cmdlet. The following powershell script select all the members "TestGroup"  group and set as password never expire users.
Import-Module ActiveDirectory
Get-ADGroupMember -Identity "TestGroup" |
  Set-ADUser -PasswordNeverExpires:$True



  1. My brother recommended I might like this website. He was totally right.
    This post truly made my day. You can not imagine just how much time I had spent for this
    information! Thanks!

  2. Hello,

    Thank you very much for the part "Modify AD Users from Specific OU". Exactly what's I need. Good Website!
    Question: is it possible to have a result/list to indicate which accounts has been modified? I have tried to add | Export-csv -path c:\password-infos.csv but it's not working.