Search-ADAccount for user accounts with expiring passwords

Question

I've been tasked with finding service accounts (in our shop, that's user accounts starting with 'svc-' in the username) that have expiring passwords. Normally service accounts should not have expiring passwords, so I'm trying to find service accounts incorrectly created so they can be fixed.

I've been using Search-ADAccount and I'm having parameter issues. If I use this:

Search-ADAccount -PasswordNeverExpires | Where {$_.SamAccountName -like 'SVC-*'}

then I get long lists of results, none of which have expiring passwords. But if I'm including the -PasswordNeverExpires parameter, then I'm filtering out any accounts which do have expiring passwords, no?

I've also tried this:

Search-ADAccount | Where {$_.SamAccountName -like 'SVC-*' -and $_.PasswordNeverExpires -like 'FALSE' }

but I only get an error: "Parameter set cannot be resolved using the specified named parameters." That sounds like Search-ADAccount requires certain parameters, but I don't see in the help files which parameters are required.

It's counter-intuitive (to me) that Search-ADAccount has a parameter which can search for one Boolean condition (TRUE) but not the other.

Get-ADUser doesn't seem to have any password configuration info.

Answer 1

Yes, Trondh. That's it. I first looked at Get-ADUser, but the help files didn't mention anything about the PasswordNeverExpires parameter, and piping a single result into Get-Member didn't reveal any relevant property to search against.

In sum, this is the one-liner that worked: Get-ADUser -filter {PasswordNeverExpires -eq $False} | Where {$_.SamAccountName -like 'SVC-*'}

Thanks again.

Answer 2

I would just use get-aduser (need to clean up the filter param, I just banged this together in my head):

$adusers = Get-ADUser -Filter * -Properties * | where {$_.PasswordNeverExpires -eq $false}

Answer 3

did you try $_.PasswordNeverExpires -eq $false?