Weak password configurations are one of the most common security gaps in Active Directory environments. AD FastReporter provides built-in reports to identify users with passwords that never expire, accounts storing passwords with reversible encryption, recent password changes, and other password-related risks — all without writing PowerShell scripts.
Active Directory stores several password-related attributes for each user account. These attributes control whether a password expires, when it was last changed, whether it's stored using reversible encryption, and whether the user can change their own password. Misconfigurations in any of these settings can create security vulnerabilities that are easy to miss during day-to-day administration but critical for auditors and security teams to identify.
For example, accounts with "Password Never Expires" set are exempt from your domain's password policy. While this flag is sometimes intentional for service accounts, it's frequently set on regular user accounts by mistake or convenience — and then forgotten. Over time, these accounts accumulate with passwords that may be years old, never rotated, and increasingly vulnerable to compromise.
Similarly, accounts configured to "Store password using reversible encryption" effectively store the password in a form that can be decrypted back to plaintext. This setting exists for compatibility with specific authentication protocols (like CHAP), but when enabled unnecessarily, it significantly weakens your security posture. Most organizations should have zero user accounts with this flag enabled.
AD FastReporter includes several built-in reports focused specifically on password security:
Find every account where the DONT_EXPIRE_PASSWD flag is set in the userAccountControl attribute. This is one of the most frequently requested reports during security audits. Ideally, only service accounts with documented justifications should appear here.
Identify accounts with the ENCRYPTED_TEXT_PASSWORD_ALLOWED flag enabled. These passwords can be decrypted to plaintext, which is a significant security risk. This report helps you find and remediate these accounts before an auditor does.
Track recent password changes across your domain. Useful for verifying that password rotation policies are being followed, or for investigating suspicious activity where an attacker may have changed a user's password.
Find accounts flagged to require a password change. This is commonly set during account creation or after a password reset by an administrator. A large number of accounts with this flag may indicate stale accounts that were reset but never used.
Identify accounts where the user has been explicitly prevented from changing their own password. This setting is sometimes used for shared or kiosk accounts but can be a security concern if applied broadly.
Find accounts where the PASSWD_NOTREQD flag is set. These accounts can exist without a password, which is a critical security gap. This flag is sometimes set during bulk imports or migrations and then overlooked.
In addition to the built-in reports, you can add password-related fields to any user report in AD FastReporter. Available fields include:
The date and time the password was last set, derived from the pwdLastSet attribute.
Whether the account is exempt from the domain password expiration policy.
Whether the account is allowed to exist without a password.
Whether the user is prevented from changing their own password.
Whether the password is stored in a decryptable form rather than a one-way hash.
Whether the account's password has expired based on the domain policy and the pwdLastSet value.
All flag values are automatically decoded from the userAccountControl bitmask into clear Yes/No values. You don't need to calculate bitmask values manually — AD FastReporter shows "Password Never Expires: Yes" instead of a raw integer.
The PowerShell approach typically involves Get-ADUser -Filter {PasswordNeverExpires -eq $true} or Search-ADAccount -PasswordExpired. These commands work for single queries, but combining multiple password attributes into one report — for example, showing all users alongside their password age, expiry status, and reversible encryption flag — requires more complex scripting with calculated properties and format expressions.
AD FastReporter lets you build these multi-field reports visually. Select a password report, add additional fields like Department or Manager for context, and generate. The results appear in a single grid with all values already decoded and formatted. This is particularly valuable when preparing audit evidence, where you need a clean, presentable report rather than PowerShell console output.
Auditors commonly ask for a list of all accounts with non-expiring passwords and accounts with reversible encryption. AD FastReporter produces both reports immediately. Export to Excel for the auditor, and you've addressed two of the most common audit findings in minutes.
Service accounts often have "Password Never Expires" set by design, but they still need to be inventoried and their passwords rotated on a schedule. Run the password never expires report, cross-reference with account names that follow your service account naming convention, and you have a service account password rotation checklist.
After implementing a new password policy, verify that it's taking effect. The "Password changed in the last 30/60 days" report shows you which users have rotated their passwords since the policy change — and by exclusion, which haven't.
If you discover accounts with reversible encryption enabled, simply disabling the flag is not enough — the password is already stored in the reversible format. The user must also change their password for the new (non-reversible) storage to take effect. The AD FastReporter report gives you the list of affected accounts so you can enforce password resets.
Generate password security reports in clicks — free version available, no registration required.