Retrieve a user password through logon script

Some users in the network , when first created in the AD, the option that says "Users Must Change Password at next Log On"
was not ticked, so many of them are still using the default password they got the first time.
Now we would like to have a script (logon script)that tests if the password =the default and the age is greater than 02 days then the user name will be written to a text file. That way we can tell which of the people have that default password for more than 02 days.

Thanks
ChuckbuchanAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Lee W, MVPTechnology and Business Process AdvisorCommented:
You're not going to be able to do that via login script - that would be a security risk.  You could get software like "LC5" (L0pht Crack 5) from Symantec (website I think still answers at www.atstake.com.  It can do audits of your passwords on the network.  But it won't tell you how old they are.  For that, you'd need to query Active Directory.
0
Lee W, MVPTechnology and Business Process AdvisorCommented:
have a look at this article:
http://www.winnetmag.com/WindowsScripting/Article/ArticleID/40885/40885.html
(you may need a subscription, but this magazine is WELL WORTH THE $50/year - one of the few).  
0
Lee W, MVPTechnology and Business Process AdvisorCommented:
Incidentally, the article I post talks about disabling accounts based on lastlogon attribute - but it may be contain info for doing what you ask.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

ChuckbuchanAuthor Commented:
As an alternative to this question, I would like to have a script that queries Active directory and writes to a text file all user accounts created on a certain date.

Example user accounts created after 11/01/2004

thanks
0
SembeeCommented:
Why reinvent the stone when someone has already done it for you.

Get userdump from here:
http://www.joeware.net/win/free/tools/userdump.htm

Run it against a domain controller:

userdump servername

And it will tell you what you need to know.

Simon.
0
ChuckbuchanAuthor Commented:
What does the dumpuser do. I downloaded it but don't know what it does.
0
SembeeCommented:
Open a command prompt in the same directory as where you have put the file extracted from the zip file.

Then enter the command

userdump servername

Where servername is a domain controller.

And it will display a table for you.

Simon.
0
ChuckbuchanAuthor Commented:
whenever I run this command from the same directroy as userdump file is located , it says 'UserDump' is not recognized as an internal or external command, operable program or batch file.
0
Lee W, MVPTechnology and Business Process AdvisorCommented:
See:
http://support.microsoft.com/default.aspx/kb/241215?

Userdump is part of the OEM support tools package and may not be installed on your computer - if/when it is, it may not be included in your path - read the documentation for the program at the link I provided above for more details.
0
SembeeCommented:
You have extracted it from the zip file that was downloaded? It should be a file called userdump.exe

Simon.
0
DustbakCommented:
I am not sure what you want to achieve. From the question I would think you want to make sure everybody eventually has a pw which is diiferent from the default one ?

Another way to go might be to set the domain policy for security/account/passwords. Here you set the maximum time fo passwords initially on 1 day. This forces the users to change their passwords the next day.

If you would like you can in the same place set other parameters like,

pw complexity
duration
length

And restrict usage of old pw's

Hope this will be of help

Goodluck
Ray
0
ChuckbuchanAuthor Commented:
Since it's not possible to get the password used by a user for security purposes, I would like to get the Date that the user account is created, by querying the AD
0
jburgaardCommented:
As I understand - correct me if wrong - you want to deal with the 'fist' users, who has not yet changed password and make them do so. How this is done is less important ?

If that is the case, I would suggest making a 'DSQUERY' to find those users.
As the next step eventually pipe the output from such a query to  
'DSMOD' to make a attribute change, so the selected "Users Must Change Password at next Log On"

dsquery user "OU=gl,DC=qwe,DC=dimsedut,DC=com" -stalepwd 15|dsmod user -mustchpwd yes

here dsquery finds users in the ou named gl in the domain qwe.dimsedut.com,
who has not changed password in more than 15 days,
dsmod changes the  "Users Must Change Password at next Log On" attribute for these users to 'yes'


0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.