How to find Expired Users

Posted on 2006-11-27
Medium Priority
Last Modified: 2008-01-09
I'm a Windows 2003 novice - paper MCSE on NT 4.0.  I'm in Network Engineering now - and usually hang out over there.  Hi ya'll.

Unfortunately, I have the responsibility of adding users to a domain which is used just for remote Internet Access through a company called iPass.  In a nut shell, I usually SSH into the server (maintained by the server group) and use a "net user /add *" command line to add them.

Because of some security B@#$4i+, I've had to create an auditing process whereby I now have to go in and set the accounts to expire as soon as I hear of someone leaving the company.

For example, if I get a notice that John Doe is leaving the company on 12/31/2006, I'll enter the command:

net user jdoe /expire:12/31/2006.  This will set his account to expire on that date.  All good.

However, in January, if I want to run a report to see all the users who stil have accounts, but are expired, how can I do this?  I don't see anything in the net user doc's and I don't see any options when looking at AT Users and Computers where there's a field for Account Expiration.

Question by:pseudocyber
  • 2
  • 2
LVL 71

Accepted Solution

Chris Dent earned 1000 total points
ID: 18020450


Been there and done that ;)

The VbScript at the bottom (to be saved as .vbs) will write a Tab Delimited Text file containing the Users ADSPath, Expiry Date and SAMAccountName (Username) called ExpiredAccounts.txt.

It's nice and straight-forward and does nothing more than tell you about them. You don't need to make any changes to the file itself, it just runs for the current AD Domain.


Option Explicit


Dim objConnection, objCommand, objRootDSE, objRecordSet, objUser, objFileSystem, objFile
Dim strADSPath
Dim dtmAccountExpires

Set objConnection = CreateObject("ADODB.Connection")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"

Set objCommand = CreateObject("ADODB.Command")
objCommand.ActiveConnection = objConnection

Set objRootDSE = GetObject("LDAP://RootDSE")
objCommand.CommandText = "SELECT aDSPath " &_
      " FROM 'LDAP://" & objRootDSE.Get("defaultNamingContext") & "' WHERE objectClass='user'"
Set objRootDSE = Nothing

objCommand.Properties("Page Size") = 1000
objCommand.Properties("Timeout") = 600
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
objCommand.Properties("Cache Results") = False

Set objRecordSet = objCommand.Execute

Set objFileSystem = CreateObject("Scripting.FileSystemObject")
Set objFile = objFileSystem.CreateTextFile("ExpiredAccounts.txt")

On Error Resume Next
While Not objRecordSet.EOF
      strADSPath = objRecordSet.Fields("aDSPath")
      Set objUser = GetObject(strADSPath)
      dtmAccountExpires = CDate(objUser.AccountExpirationDate)

      If Year(dtmAccountExpires) > 1970 Then
            If dtmAccountExpires < Date() Then
                  objFile.WriteLine strADSPath & VbTab & dtmAccountExpires & VbTab & objUser.Get("sAMAccountName")
            End If
      End If

Set objRecordSet = Nothing
Set objCommand = Nothing
Set objConnection = Nothing
LVL 43

Assisted Solution

by:Steve Knight
Steve Knight earned 1000 total points
ID: 18020468
If this is AD you can run a dsquery / dsget command something like this:

dsquery user | dsget user -fn -ln -acctexpires

If there are many users you can increase the limit by adding -limit 1000 say to the dsquery command.
Other than that you can use

net user username to return the username so it would be possible to write a script to parse that and give you a list of

username, expiry date

LVL 43

Expert Comment

by:Steve Knight
ID: 18020474
Oops, refresh, refresh, refresh :-)
LVL 71

Expert Comment

by:Chris Dent
ID: 18020484

I know that feeling well :)


Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

by Batuhan Cetin In this article I will be guiding through the process of removing a failed DC metadata from Active Directory (hereafter, AD) using the ntdsutil tool in a Windows Server 2003 environment. These steps are not necessary in a Win…
Numerous times I have been asked this questions that what is it that makes my machine log on so slow, there have been cases where computers took 23 minute exactly after taking password and getting to the desktop. Interesting thing was the fact th…
In this video I will demonstrate how to set up Nine, which I now consider the best alternative email app to Touchdown.
If you are looking for an automated tool which can generate reports for Outlook emails and other items from PST file, then you can go for Kernel PST Reporter tool. The reports which are created by this tool are helpful to analyze and understand PST …

624 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question