How to display users with expired password ?

[Guest bildos]

How to display users with expired password ?

Any ideas for query ? The best will be query for "Active Directory Users and

Computers"

 

Redgards!

[Guest Pegasus \(MVP\)]

Re: How to display users with expired password ?

 

 

"bildos" <bildos@gmail.com> wrote in message

news:e0ph8cfVIHA.4768@TK2MSFTNGP02.phx.gbl...

> How to display users with expired password ?

> Any ideas for query ? The best will be query for "Active Directory Users

> and Computers"

>

> Redgards!

>

 

Have a look here:

"How Can I Get a List of All the Disabled User Accounts in Active

Directory?"

http://www.microsoft.com/technet/scriptcenter/resources/qanda/may05/hey0512.mspx

[Guest Richard Mueller [MVP]]

Re: How to display users with expired password ?

 

bildos wrote:

> How to display users with expired password ?

> Any ideas for query ? The best will be query for "Active Directory Users

> and Computers"

>

 

Determining when the password expires for an account is not simple. See this

link:

 

http://msdn2.microsoft.com/en-us/library/ms974598.aspx

 

However, if you do a bit of work ahead of time, you can query for all users

that have not changed their password recently. For example, if passwords

must be reset every 60 days in your domain, you want users that have not

changed their password since 60 days ago, say November 13, 2007. The

pwdLastSet attribute of user objects has the date/time the password was last

set. However, it is Integer8, a 64-bit number representing the date/time (in

UTC) as the number of 100-nanosecond intervals since 12:00 AM January 1,

1601. I have a VBScript program that converts a date/time in your local time

zone to the corresponding Integer8 value linked here:

 

http://www.rlmueller.net/Programs/DateToInteger8.txt

 

Using this program I find that 12:00 AM November 13, 2007, corresponds to

the value (in my time zone):

 

128394072000000000

 

A query in ADUC for all users that have not changed their password since

November 13, 2007, (in my time zone) would be:

 

(&(objectCategory=person)(objectClass=user)(pwdLastSet<=128394072000000000))

 

Otherwise, I also have a VBScript program that documents the date/time when

every user in the domain last changed their password linked here:

 

http://www.rlmueller.net/PwdLastChanged.htm

 

A date/time of 1/1/1601 (January 1, 1601) means never. Also, you can use Joe

Richards' adfind utility. I believe the command to document when all users

last changed their password would be:

 

adfind -tdc -default -f "(&(objectCategory=person)(objectClass=user))"

pwdLastSet -sort pwdLastSet

 

You can get this free utility at:

 

http://joeware.net/freetools/tools/adfind/index.htm

 

--

Richard Mueller

Microsoft MVP Scripting and ADSI

Hilltop Lab - http://www.rlmueller.net

--