Solved

DSQUERY a group for expiring passwords

Posted on 2009-05-03
5
2,323 Views
Last Modified: 2013-12-19
I am trying to figure our how to use DSQUERY to query users accounts who will expire within a certian timeframe from a specific group. I can successfully use dsquery user -stalepwd 55 for example but this queries all users in AD.

How can I use this to check a specific group of users only? I tried playing arounf with the dsquery group command but cannot seem to get it right.
0
Comment
Question by:FphcareEnginner
  • 2
  • 2
5 Comments
 
LVL 1

Expert Comment

by:jruocco_1
Comment Utility
Are you trying to query users in a "group" or an "ou"?
0
 

Author Comment

by:FphcareEnginner
Comment Utility
I am trying to dsquery users in a group. Basically, i want to see when our OWA users are near to expiry.
0
 
LVL 1

Expert Comment

by:jruocco_1
Comment Utility
I cannot find anything about piping a dsquery -stalepwd into a dsget group.

but i would suggest using dsget group "groupDN" -members and using csvde to export them to a csv file.

then use csvde to import them and run a dsquery on the file.
0
 
LVL 58

Accepted Solution

by:
tigermatt earned 250 total points
Comment Utility

I would suggest a much easier tool to do this than dsquery. Download the memberOf tool from Active Directory MVP Joe: http://www.joeware.net/freetools/tools/memberof/index.htm.

Extract the contents, then at a command line, use the command:

FindExpAcc -pwd -days 55 -f "(&(objectClass=User)(memberOf=% DN of the Security Group %))"

That will return all the users in the security group specified who will have a password expiring in 55 days or less.

If you need a quick way to find out the DN of the security group, download ADFind (from the same site): http://www.joeware.net/freetools/tools/adfind/index.htm. Extract the tool then run

adfind -sc g:Name of Group

The first line of the output will be the DN which you can then use in the FindExpAcc command.

-Matt
0
 
LVL 58

Expert Comment

by:tigermatt
Comment Utility

Hey,

I think my solution did what you needed. Was there therefore any reason for the 'B' grade?
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
Never store passwords in plain text or just their hash: it seems a no-brainier, but there are still plenty of people doing that. I present the why and how on this subject, offering my own real life solution that you can implement right away, bringin…
Video by: Steve
Using examples as well as descriptions, step through each of the common simple join types, explaining differences in syntax, differences in expected outputs and showing how the queries run along with the actual outputs based upon a simple set of dem…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now