Below is a simple how-to of sorts to get the default domain password policy. Then to set PasswordNeverExpires as True Or False for a single user, specific ADGroup, specific OU or users in a CSV file.

ADUser-password-policy-expiry.md

Default Domain Password Policy and Set Password Expiry

Below is a simple how-to of sorts to get the default domain password policy.

Then to set PasswordNeverExpires as True Or False for a single user, specific ADGroup, specific OU or users in a CSV file.

Notes:

• Specify PasswordNeverExpires as $true to set expire $false to not expire.
• It is recommended users do have an expiring password as a simple security measure by default.
• The default MaxPasswordAge if not explicitly defined, is set to 42 days (via Default Domain Policy / GPO).
• These commands are used in Powershell. It requires the powershell module ActiveDirectory to be imported first.

---

To get the default domain password policy try this

Get-ADDefaultDomainPasswordPolicy -Identity contoso.com

Replace contoso.com with your own domain

---

Configure Password Never Expires flag:

Set-ADUser -Identity <samAccountName> -PasswordNeverExpires $true

---

Modify AD Users from Specific OU

Get-ADUser -Filter * -SearchBase "OU=TestOU,DC=TestDomain,DC=Local" | 

Set-ADUser -PasswordNeverExpires:$True 

---

Modify Bulk AD Users Password Never Expire flag from CSV

Import-Csv "C:\NonExpiringPasswordUsers.csv" | ForEach-Object { 

 $samAccountName = $_."samAccountName" 

Get-ADUser -Identity $samAccountName |  

 Set-ADUser -PasswordNeverExpires:$False 

} 

---

Modify specific AD Group Members

Get-ADGroupMember -Identity "TestGroup" | 

Set-ADUser -PasswordNeverExpires:$True