Support
 
Phone Get Quote
 
Support
 
US: +1 888 720 9500
US: +1 888 791 1189
Intl: +1 925 924 9500
Aus: +1 800 631 268
UK: 0800 028 6590
CN: +86 400 660 8680

Direct Inward Dialing: +1 408 916 9892

 

How to track users accounts with Password never expires

As a security best practice it is recommended that users on a network create complex passwords and also change them periodically. Active Directory's password policies help administrators impose such password complexity requirements. With these complexity requirements in place, if a password is never set to expire, then administrators should analyze the reason behind it as it could be an incident.

'Password never expires' events are a threat because:

  • It could potentially mean an admin account has been compromised by an outsider or a malicious insider and they are making risky changes, such as changing the security settings, on the network.

  • Secondly, user accounts with passwords set to never expire is a low-hanging fruit for a brute force attacker, who has a much better chance at cracking the password as it never expires.

 

With native AD capability, the auditing of users with 'Password never expires', can be done by enabling Audit Policy and analyzing the generated logs using Windows Event Viewer.

Once the Audit Policy is in place, the Event Viewer records changes to the user account with a unique event ID, which can be inspected to find any users whose passwords settings were modified to 'Password never expires'. The administrator will have to go through all the logs on user account changes to find the ones in question.

Once the Audit Policy is in place, the Event Viewer records changes to the user account with a unique event ID, which can be inspected to find any users whose passwords settings were modified to 'Password never expires'. The administrator will have to go through all the logs on user account changes to find the ones in question.

This article compares the process of finding users with 'Password never expires' set in using native Active Directory tools and techniques and using ADAudit Plus. In both the cases, you need to enable auditing.

Download for FREE

Free, fully functional 30-day trial

  • With Native AD Auditing

  • With ADAudit Plus

  • ADAudit Plus generates reports by processing information from the Event Viewer. To view the reports, open ADAudit Plus console and navigate to Reports > User Management > Password Never Expires Set Users report. This report lists the users that have their passwords set to never expire and more importantly, displays the users who initiated this change. Here, unlike in native AD auditing, the administrator does not have to go through several logs to find the events that indicate that this setting has been applied. . They also can find the user account which initiated the modification of the password settings. Here is a sample report:

    how-to-get-a-list-of-users-with-password-never-expires-4

Steps to Enable Audit Policy

  • Open Server Manager on your Windows server.

  • Under the Manage tab, click on Group Policy Management to open the Group Policy Management Console.

  • Navigate to Forest > Domain > Your Domain > Domain Controllers.

  • You can choose to either edit an existing group policy object or create a new one.

  • In the Group Policy Editor, navigate to Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration.

  • Expand the node and navigate to Audit Policy > Account Management > Audit User Account Management. Enable it for both 'Success' and 'Failure'.

    how-to-get-a-list-of-users-with-password-never-expires-1

  • Auditing 'Password never expires' event with native AD tools and techniques

  • Open Event Viewer to find the users who have 'Password never expires' set in their accounts.

  • Windows Event Viewer records all the changes to the objects in the directory for which auditing has been enabled. Every change is recorded as an event and is associated with a unique event ID.

  • To view the events, open Event Viewer and navigate to Windows Logs > Security. The pane in the center displays all the events that are being audited. Look for Event ID 4738 which indicates that a user account has changed.

    how-to-get-a-list-of-users-with-password-never-expires-2

    This image shows the event log filtered for event ID 4738.

  • Click on 'Filter Current Log' on the right pane to filter the events by event IDs, time range and a few other parameters. After the events have been filtered by event ID 4738, you can click on the logs for more details regarding the change. The administrator can read through the details of each log to find users who have passwords set to never expire.

    how-to-get-a-list-of-users-with-password-never-expires-3

Native auditing becoming a little too much?

Simplify Active Directory auditing and reporting with ADAudit Plus.

Get Your Free Trial Fully functional 30-day trial

Related How-tos

Request 1-on-1 demo

  •  
  •  
  •  
  •  
  •  
  • -Select-
  • By clicking 'Submit' you agree to processing of personal data according to the Privacy Policy.

Thanks

One of our solution experts will get in touch with you shortly.

ADAudit Plus Trusted By

Meet all auditing and IT security needs with ADAudit Plus.

  • Active Directory
  • File servers
  • Windows server
  • Workstation
  • Compliance
  • Related Products

A single pane of glass for complete Active Directory Auditing and Reporting

Free Trial Get Quote
Email Download Link