Setting user accounts password to never expire is not recommended and can be a security risk. There are times when this can’t be avoided such as using a service account. Many vendors require a service to run under a service account that has a non expiring password.

For regular user accounts, it’s best practice to have a password policy in place that requires users to change their password after a period of time (60 to 90 days is common). Administrators of Active Directory should do regular maintenance on AD objects.

The maintenance should include finding disabled user accounts, unused computer or user accounts and passwords that are set to never expire. These identified accounts should be secured or removed, depending on your organization’s policy. This post provides three different methods for finding user accounts that have the password set to never expire.

Example 1: Find common queries

1. Open Active Directory Users and Computers.

2. Click the find button from the toolbar.

3. In the Find Common Queries window select Common Queries and Entire Directory. Check the Non Expiring Passwords box and click the Find Now button.