Solved

DSQUERY a group for expiring passwords

Posted on 2009-05-03
5
2,390 Views
Last Modified: 2013-12-19
I am trying to figure our how to use DSQUERY to query users accounts who will expire within a certian timeframe from a specific group. I can successfully use dsquery user -stalepwd 55 for example but this queries all users in AD.

How can I use this to check a specific group of users only? I tried playing arounf with the dsquery group command but cannot seem to get it right.
0
Comment
Question by:FphcareEnginner
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 1

Expert Comment

by:jruocco_1
ID: 24292669
Are you trying to query users in a "group" or an "ou"?
0
 

Author Comment

by:FphcareEnginner
ID: 24292776
I am trying to dsquery users in a group. Basically, i want to see when our OWA users are near to expiry.
0
 
LVL 1

Expert Comment

by:jruocco_1
ID: 24292821
I cannot find anything about piping a dsquery -stalepwd into a dsget group.

but i would suggest using dsget group "groupDN" -members and using csvde to export them to a csv file.

then use csvde to import them and run a dsquery on the file.
0
 
LVL 58

Accepted Solution

by:
tigermatt earned 250 total points
ID: 24293365

I would suggest a much easier tool to do this than dsquery. Download the memberOf tool from Active Directory MVP Joe: http://www.joeware.net/freetools/tools/memberof/index.htm.

Extract the contents, then at a command line, use the command:

FindExpAcc -pwd -days 55 -f "(&(objectClass=User)(memberOf=% DN of the Security Group %))"

That will return all the users in the security group specified who will have a password expiring in 55 days or less.

If you need a quick way to find out the DN of the security group, download ADFind (from the same site): http://www.joeware.net/freetools/tools/adfind/index.htm. Extract the tool then run

adfind -sc g:Name of Group

The first line of the output will be the DN which you can then use in the FindExpAcc command.

-Matt
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 24299305

Hey,

I think my solution did what you needed. Was there therefore any reason for the 'B' grade?
0

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently I was talking with Tim Sharp, one of my colleagues from our Technical Account Manager team about MongoDB’s scalability. While doing some quick training with some of the Percona team, Tim brought something to my attention...
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
Video by: Steve
Using examples as well as descriptions, step through each of the common simple join types, explaining differences in syntax, differences in expected outputs and showing how the queries run along with the actual outputs based upon a simple set of dem…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

615 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question