Guest bildos Posted January 13, 2008 Posted January 13, 2008 How to display users with expired password ? Any ideas for query ? The best will be query for "Active Directory Users and Computers" Redgards!
Guest Pegasus \(MVP\) Posted January 13, 2008 Posted January 13, 2008 Re: How to display users with expired password ? "bildos" <bildos@gmail.com> wrote in message news:e0ph8cfVIHA.4768@TK2MSFTNGP02.phx.gbl... > How to display users with expired password ? > Any ideas for query ? The best will be query for "Active Directory Users > and Computers" > > Redgards! > Have a look here: "How Can I Get a List of All the Disabled User Accounts in Active Directory?" http://www.microsoft.com/technet/scriptcenter/resources/qanda/may05/hey0512.mspx
Guest Richard Mueller [MVP] Posted January 13, 2008 Posted January 13, 2008 Re: How to display users with expired password ? bildos wrote: > How to display users with expired password ? > Any ideas for query ? The best will be query for "Active Directory Users > and Computers" > Determining when the password expires for an account is not simple. See this link: http://msdn2.microsoft.com/en-us/library/ms974598.aspx However, if you do a bit of work ahead of time, you can query for all users that have not changed their password recently. For example, if passwords must be reset every 60 days in your domain, you want users that have not changed their password since 60 days ago, say November 13, 2007. The pwdLastSet attribute of user objects has the date/time the password was last set. However, it is Integer8, a 64-bit number representing the date/time (in UTC) as the number of 100-nanosecond intervals since 12:00 AM January 1, 1601. I have a VBScript program that converts a date/time in your local time zone to the corresponding Integer8 value linked here: http://www.rlmueller.net/Programs/DateToInteger8.txt Using this program I find that 12:00 AM November 13, 2007, corresponds to the value (in my time zone): 128394072000000000 A query in ADUC for all users that have not changed their password since November 13, 2007, (in my time zone) would be: (&(objectCategory=person)(objectClass=user)(pwdLastSet<=128394072000000000)) Otherwise, I also have a VBScript program that documents the date/time when every user in the domain last changed their password linked here: http://www.rlmueller.net/PwdLastChanged.htm A date/time of 1/1/1601 (January 1, 1601) means never. Also, you can use Joe Richards' adfind utility. I believe the command to document when all users last changed their password would be: adfind -tdc -default -f "(&(objectCategory=person)(objectClass=user))" pwdLastSet -sort pwdLastSet You can get this free utility at: http://joeware.net/freetools/tools/adfind/index.htm -- Richard Mueller Microsoft MVP Scripting and ADSI Hilltop Lab - http://www.rlmueller.net --
Recommended Posts