Do you know how many domain admins you have in your domain? Do you know which domain admins are running with “password never expires” enabled? Thanks to Powershell it is easy to find out.
# Variables below
#
$domainadmins=(Get-ADGroupMember -Identity "Domain admins" | Get-ADUser -Properties PasswordNeverexpires, lastlogondate)
#*********************************************************************************************
# Output to screen
$domainadmins | Sort -Descending -Property PasswordNeverexpires | Select-Object Name, Samaccountname, lastlogondate, Enabled, PasswordNeverExpires | ft -autosize
#
This will display on your screen all members in “Domain Admins” with the last logon time, if the account is enabled and if the “password never expires” is set.
If you want a file export you can use this line instead of output to screen:
# Output to file
$domainadmins | Sort -Descending -Property PasswordNeverexpires | Select-Object Name, Samaccountname, lastlogondate, Enabled, PasswordNeverExpires | Export-Csv C:\Temp\domainadmins.csv -Encoding UTF8 -Delimiter ","
