FphcareEnginner
asked on
LDAP Query for expiring passwords
I am trying to find an LDAP query that tells me which users passwords are going to expire (within 3-4 days) in a particular group.
Can anybody help?
Can anybody help?
ASKER
Hi
Thanks
I can successfully use this command but want to query only members of a specific group. Could not get it right with DS query and thought an LDAP query would be better.
Can this be done with DS query?
Thanks
I can successfully use this command but want to query only members of a specific group. Could not get it right with DS query and thought an LDAP query would be better.
Can this be done with DS query?
There are far more efficient tools than DS Query that allow for more filters. Take a look at this site, you will have to download the utility, but this is probalbly what you are looking for, it will allow the query of specific OU's.
http://www.joeware.net/freetools/tools/findexpacc/usage.htm
http://www.joeware.net/freetools/tools/findexpacc/usage.htm
ASKER
Thanks, unfortunately due to some internal legal reasons, we cannot use any 3rd party tools and want to try proceed with an LDAP query.
Understood~ Well, then you will have to get into some C-Sharp programming or vbscripting.
To bad you can't use joe's tools... the are great
The ldap query is a pain because of how accountexpires is stored
http://msdn.microsoft.com/ en-us/libr ary/ms6750 98(VS.85). aspx
The date when the account expires. This value represents the number of 100 nanosecond intervals since January 1, 1601 (UTC). A value of 0 or 0x7FFFFFFFFFFFFFFF (9223372036854775807) indicates that the account never expires.
So lets say you wanted an LDAP query for users that were going to expire before May 7th, 2009. The users are in a group called test
In ADUC custom search advanced the query would be
(objectcategory=person)(ob jectclass= user)(memb erof=DNofg roup)(acco untexpires =128861424 00075000)
I had to use a program to convert the "friendly" dayte of May 7th to that 64 bit integer.
That is why Valley suggested a script if you can't use a tool but just wanted to give some more info.
Thanks
Mike
The ldap query is a pain because of how accountexpires is stored
http://msdn.microsoft.com/
The date when the account expires. This value represents the number of 100 nanosecond intervals since January 1, 1601 (UTC). A value of 0 or 0x7FFFFFFFFFFFFFFF (9223372036854775807) indicates that the account never expires.
So lets say you wanted an LDAP query for users that were going to expire before May 7th, 2009. The users are in a group called test
In ADUC custom search advanced the query would be
(objectcategory=person)(ob
I had to use a program to convert the "friendly" dayte of May 7th to that 64 bit integer.
That is why Valley suggested a script if you can't use a tool but just wanted to give some more info.
Thanks
Mike
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
dsquery user -stalepwd n