Solved

DSQUERY a group for expiring passwords

Posted on 2009-05-03
5
2,360 Views
Last Modified: 2013-12-19
I am trying to figure our how to use DSQUERY to query users accounts who will expire within a certian timeframe from a specific group. I can successfully use dsquery user -stalepwd 55 for example but this queries all users in AD.

How can I use this to check a specific group of users only? I tried playing arounf with the dsquery group command but cannot seem to get it right.
0
Comment
Question by:FphcareEnginner
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 1

Expert Comment

by:jruocco_1
ID: 24292669
Are you trying to query users in a "group" or an "ou"?
0
 

Author Comment

by:FphcareEnginner
ID: 24292776
I am trying to dsquery users in a group. Basically, i want to see when our OWA users are near to expiry.
0
 
LVL 1

Expert Comment

by:jruocco_1
ID: 24292821
I cannot find anything about piping a dsquery -stalepwd into a dsget group.

but i would suggest using dsget group "groupDN" -members and using csvde to export them to a csv file.

then use csvde to import them and run a dsquery on the file.
0
 
LVL 58

Accepted Solution

by:
tigermatt earned 250 total points
ID: 24293365

I would suggest a much easier tool to do this than dsquery. Download the memberOf tool from Active Directory MVP Joe: http://www.joeware.net/freetools/tools/memberof/index.htm.

Extract the contents, then at a command line, use the command:

FindExpAcc -pwd -days 55 -f "(&(objectClass=User)(memberOf=% DN of the Security Group %))"

That will return all the users in the security group specified who will have a password expiring in 55 days or less.

If you need a quick way to find out the DN of the security group, download ADFind (from the same site): http://www.joeware.net/freetools/tools/adfind/index.htm. Extract the tool then run

adfind -sc g:Name of Group

The first line of the output will be the DN which you can then use in the FindExpAcc command.

-Matt
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 24299305

Hey,

I think my solution did what you needed. Was there therefore any reason for the 'B' grade?
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article shows the steps required to install WordPress on Azure. Web Apps, Mobile Apps, API Apps, or Functions, in Azure all these run in an App Service plan. WordPress is no exception and requires an App Service Plan and Database to install
Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question