Get-ADUser -Properties not returning PasswordNeverExpires for all users

Question

I am trying to list all users that have the PasswordNeverExpires flag set.

If I use

Get-ADUser

I get a list of all users in my domain, along with a load of default properties.

If I use

Get-ADUser -Filter * -Properties Name | Format-Table -Property Name -AutoSize

I also get a list of all usernames in my domain, as a table.

When I use

Get-ADUser -Filter * -Properties Name,PasswordNeverExpires | Format-Table -Property Name,PasswordNeverExpire

I get a table that contains a full list of usernames, but ONLY the following accounts have either True or False in the PasswordNeverExpires column

Guest
krbtgt
Administrator
SBSMonAcct
Network Administrator
<MyDomainAdminAccount>
SPSearch
<AnAdministratorAccountForOneOfOurSoftwareVendors>
<AnAccountThatWasCopiedFromTheDomainAdministratorAccount>
<AnotherAccountCopiedFromTheDomainAdministratorAccount>

All the other items/usernames in the table have empty/blank/non-existent values.

I have also tried

Get-ADUser -LDAPFilter "(&(!userAccountControl:1.2.840.113556.1.4.803:=2)(userAccountControl:1.2.840.113556.1.4.803:=65536))"

but that only returns

<MyDomainAdminAccount>
SPSearch

Why is the PasswordNeverExpires flag not being picked up for all users? Thanks.

Answer 1

Hmm, your third line pulls the property "PasswordNeverExpires" but Selects "PasswordNeverExpire". If this was just a typo in your question this disregard. If not then there is your answer. :-)

Answer 2

PasswordNeverExpires is calculated from the userAccountControl attribute.

Probably the fastest way to search for users that have that flag set is as follows:

Get-ADUser -LDAPFilter "(userAccountControl:1.2.840.113556.1.4.803:=65536)" -Properties PasswordNeverExpires

See the documentation for more information on searching using a bitwise filter. 65536 (0x10000) corresponds to the ADS_UF_DONT_EXPIRE_PASSWD bit position, so this LDAP search filter searches only for accounts that have that flag set.