jimbonics
asked on
How to find User Password Expiration Date in AD
Hi!
We have a standard pw policy that states every 90 days your password must be changed. This is no problem for most of our users, like our ones in the office on the LAN and those using OWA.
However, there are those that are higher maintenance and ALWAYS get locked out.
Is there a reporting tool or some such that will tell me when the passwords for all the users in my AD are going to expire?
Thanks!
Jim Isaacs
We have a standard pw policy that states every 90 days your password must be changed. This is no problem for most of our users, like our ones in the office on the LAN and those using OWA.
However, there are those that are higher maintenance and ALWAYS get locked out.
Is there a reporting tool or some such that will tell me when the passwords for all the users in my AD are going to expire?
Thanks!
Jim Isaacs
If you want to tell the users when their password is going to expire, look for the PEWA tool from Microsoft. It was designed for Exchange 5.5 but works on later versions. Run it every night and the users will get an email message.
Simon.
Simon.
oops, I'm sorry, this will show the info only for one user... here's the updated script, which will show info for all users:
Const SEC_IN_DAY = 86400
Const ADS_UF_DONT_EXPIRE_PASSWD = &h10000
Const ADS_SCOPE_SUBTREE = 2
Set objConnection = CreateObject("ADODB.Connec tion")
Set objCommand = CreateObject("ADODB.Comman d")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCOmmand.ActiveConnectio n = objConnection
objCommand.CommandText = _
"Select Name, distinguishedName from 'LDAP://DC=Domain,DC=com' Where objectClass='user' AND objectClass <> 'computer'"
objCommand.Properties("Pag e Size") = 1000
objCommand.Properties("Sea rchscope") = ADS_SCOPE_SUBTREE
Set objRecordSet = objCommand.Execute
objRecordSet.MoveFirst
Do Until objRecordSet.EOF
If (InStr(objRecordSet.Fields ("Name").V alue, "SystemMailbox") = 1) Then
objRecordSet.MoveNext
Else
ldapStr = "LDAP://" & objRecordSet.Fields("disti nguishedNa me").Value
Set objUserLDAP = GetObject(ldapStr)
intCurrentValue = objUserLDAP.Get("userAccou ntControl" )
Wscript.Echo "Name: " & objRecordSet.Fields("Name" ).Value
If intCurrentValue and ADS_UF_DONT_EXPIRE_PASSWD Then
Wscript.Echo "The password does not expire."
Else
dtmValue = objUserLDAP.PasswordLastCh anged
Wscript.Echo "The password was last changed on " & _
DateValue(dtmValue) & " at " & TimeValue(dtmValue) & VbCrLf & _
"The difference between when the password was last set " & _
"and today is " & int(now - dtmValue) & " days"
intTimeInterval = int(now - dtmValue)
Set objDomainNT = GetObject("WinNT://Domain. com")
intMaxPwdAge = objDomainNT.Get("MaxPasswo rdAge")
If intMaxPwdAge < 0 Then
WScript.Echo "The Maximum Password Age is set to 0 in the " & _
"domain. Therefore, the password does not expire."
Else
intMaxPwdAge = (intMaxPwdAge/SEC_IN_DAY)
Wscript.Echo "The maximum password age is " & intMaxPwdAge & " days"
If intTimeInterval >= intMaxPwdAge Then
Wscript.Echo "The password has expired."
Else
Wscript.Echo "The password will expire on " & _
DateValue(dtmValue + intMaxPwdAge) & " (" & _
int((dtmValue + intMaxPwdAge) - now) & " days from today" & _
")."
End If
End If
End If
Wscript.Echo "========================= ========== ========== ========"
objRecordSet.MoveNext
End If
Loop
once again, change the 'LDAP://DC=Domain,DC=com' and the Set objDomainNT = GetObject("WinNT://Domain. com") values to accomodate your domain name...
i just tested this on my machine, and it works wonderfully. if you want to improve readability, you can pipe the output into a text file, like:
cscript.exe c:\script.vbs > c:\expire.txt
Const SEC_IN_DAY = 86400
Const ADS_UF_DONT_EXPIRE_PASSWD = &h10000
Const ADS_SCOPE_SUBTREE = 2
Set objConnection = CreateObject("ADODB.Connec
Set objCommand = CreateObject("ADODB.Comman
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCOmmand.ActiveConnectio
objCommand.CommandText = _
"Select Name, distinguishedName from 'LDAP://DC=Domain,DC=com' Where objectClass='user' AND objectClass <> 'computer'"
objCommand.Properties("Pag
objCommand.Properties("Sea
Set objRecordSet = objCommand.Execute
objRecordSet.MoveFirst
Do Until objRecordSet.EOF
If (InStr(objRecordSet.Fields
objRecordSet.MoveNext
Else
ldapStr = "LDAP://" & objRecordSet.Fields("disti
Set objUserLDAP = GetObject(ldapStr)
intCurrentValue = objUserLDAP.Get("userAccou
Wscript.Echo "Name: " & objRecordSet.Fields("Name"
If intCurrentValue and ADS_UF_DONT_EXPIRE_PASSWD Then
Wscript.Echo "The password does not expire."
Else
dtmValue = objUserLDAP.PasswordLastCh
Wscript.Echo "The password was last changed on " & _
DateValue(dtmValue) & " at " & TimeValue(dtmValue) & VbCrLf & _
"The difference between when the password was last set " & _
"and today is " & int(now - dtmValue) & " days"
intTimeInterval = int(now - dtmValue)
Set objDomainNT = GetObject("WinNT://Domain.
intMaxPwdAge = objDomainNT.Get("MaxPasswo
If intMaxPwdAge < 0 Then
WScript.Echo "The Maximum Password Age is set to 0 in the " & _
"domain. Therefore, the password does not expire."
Else
intMaxPwdAge = (intMaxPwdAge/SEC_IN_DAY)
Wscript.Echo "The maximum password age is " & intMaxPwdAge & " days"
If intTimeInterval >= intMaxPwdAge Then
Wscript.Echo "The password has expired."
Else
Wscript.Echo "The password will expire on " & _
DateValue(dtmValue + intMaxPwdAge) & " (" & _
int((dtmValue + intMaxPwdAge) - now) & " days from today" & _
")."
End If
End If
End If
Wscript.Echo "=========================
objRecordSet.MoveNext
End If
Loop
once again, change the 'LDAP://DC=Domain,DC=com' and the Set objDomainNT = GetObject("WinNT://Domain.
i just tested this on my machine, and it works wonderfully. if you want to improve readability, you can pipe the output into a text file, like:
cscript.exe c:\script.vbs > c:\expire.txt
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I'd like to thank everyone for their help and replies.
ZabaqaR gets half the points and the Accepted answer, as that's the solution that worked best for us
Yula gets half the points... well... because ... look at all that code he helped us out with. THREE responses with varying options, he went above and beyond.
Simon... sorry man, the PEWA tool doesnt work on Exchange 2003... I suppose I should have mentioned what server I was using.
Thanks to all!
ZabaqaR gets half the points and the Accepted answer, as that's the solution that worked best for us
Yula gets half the points... well... because ... look at all that code he helped us out with. THREE responses with varying options, he went above and beyond.
Simon... sorry man, the PEWA tool doesnt work on Exchange 2003... I suppose I should have mentioned what server I was using.
Thanks to all!
ASKER
Yula = yuja :o
:) it's all good:)
thanks.
thanks.
but anyway...
open notepad on the computer which can query the Active Directory (to make sure this works, just go to your Domain COntroller and create the script in there).
paste the following
Const SEC_IN_DAY = 86400
Const ADS_UF_DONT_EXPIRE_PASSWD = &h10000
Set objUserLDAP = GetObject _
("LDAP://CN=administrator,
intCurrentValue = objUserLDAP.Get("userAccou
If intCurrentValue and ADS_UF_DONT_EXPIRE_PASSWD Then
Wscript.Echo "The password does not expire."
Else
dtmValue = objUserLDAP.PasswordLastCh
Wscript.Echo "The password was last changed on " & _
DateValue(dtmValue) & " at " & TimeValue(dtmValue) & VbCrLf & _
"The difference between when the password was last set" & _
"and today is " & int(now - dtmValue) & " days"
intTimeInterval = int(now - dtmValue)
Set objDomainNT = GetObject("WinNT://mydomai
intMaxPwdAge = objDomainNT.Get("MaxPasswo
If intMaxPwdAge < 0 Then
WScript.Echo "The Maximum Password Age is set to 0 in the " & _
"domain. Therefore, the password does not expire."
Else
intMaxPwdAge = (intMaxPwdAge/SEC_IN_DAY)
Wscript.Echo "The maximum password age is " & intMaxPwdAge & " days"
If intTimeInterval >= intMaxPwdAge Then
Wscript.Echo "The password has expired."
Else
Wscript.Echo "The password will expire on " & _
DateValue(dtmValue + intMaxPwdAge) & " (" & _
int((dtmValue + intMaxPwdAge) - now) & " days from today" & _
")."
End If
End If
End If
change the following strings to accomodate your environment:
("LDAP://CN=administrator,
this will be the user which has the permissions to query or modify AD data (presumably, you:))
if your domain is, say, somedomain.net, change the last part to DC=somedomain,DC=net
the first part, you have to list the hierarchical path to your user account. if it's under, say, "Company Employees -> Main Office -> IT Staff -> Admin" OU, you should put OU=Admin,OU=IT Staff, OU=Main Office,OU=Company Employees
the CN should be your username in the domain.
then, change the
Set objDomainNT = GetObject("WinNT://mydomai
save the file with vbs extension (let's say, to C drive, as script.vbs)
go to start->run->cmd
change the current folder to the folder where your script is.
type "csscript.exe script.vbs" (without the quotation marks)
voila.
btw, this is the script from microsoft scripting center (http://www.microsoft.com/technet/scriptcenter/scripts/ad/users/pwds/uspwvb08.mspx)
there's a ton more scripts there (most of which are basically "plug and play" and only need some domain-specific values to be changed), and a ton of scripts specifically to work with active directory:
http://www.microsoft.com/technet/scriptcenter/scripts/ad/default.mspx
hopefully, this will help