Solved

LDAP Query for expiring passwords

Posted on 2009-05-03
7
5,970 Views
Last Modified: 2013-12-24
I am trying to find an LDAP query that tells me which users passwords are going to expire (within 3-4 days) in a particular group.

Can anybody help?
0
Comment
Question by:FphcareEnginner
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 4

Expert Comment

by:ValleyENT
ID: 24292494
A simple DS Query will do, enter the below in command prompt on the dc.
dsquery user -stalepwd n
0
 

Author Comment

by:FphcareEnginner
ID: 24292505
Hi
Thanks

I can successfully use this command but want to query only members of a specific group. Could not get it right with DS query and thought an LDAP query would be better.

Can this be done with DS query?
0
 
LVL 4

Expert Comment

by:ValleyENT
ID: 24292512
There are far more efficient tools than DS Query that allow for more filters. Take a look at this site, you will have to download the utility, but this is probalbly what you are looking for, it will allow the query of specific OU's.

http://www.joeware.net/freetools/tools/findexpacc/usage.htm
0
Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 

Author Comment

by:FphcareEnginner
ID: 24292535
Thanks, unfortunately due to some internal legal reasons, we cannot use any 3rd party tools and want to try proceed with an LDAP query.
0
 
LVL 4

Expert Comment

by:ValleyENT
ID: 24292548
Understood~ Well, then you will have to get into some C-Sharp programming or vbscripting.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 24292876
To bad you can't use joe's tools... the are great
The ldap query is a pain because of how accountexpires is stored
http://msdn.microsoft.com/en-us/library/ms675098(VS.85).aspx
 
The date when the account expires. This value represents the number of 100 nanosecond intervals since January 1, 1601 (UTC). A value of 0 or 0x7FFFFFFFFFFFFFFF (9223372036854775807) indicates that the account never expires.
So lets say you wanted an LDAP query for users that were going to expire before May 7th, 2009.  The users are in a group called test
In ADUC custom search advanced the query would be
(objectcategory=person)(objectclass=user)(memberof=DNofgroup)(accountexpires=12886142400075000)
I had to use a program to convert the "friendly" dayte of May 7th to that 64 bit integer.
That is why Valley suggested a script if you can't use a tool but just wanted to give some more info.
Thanks
Mike
 
0
 
LVL 12

Accepted Solution

by:
Krys_K earned 250 total points
ID: 24300822
Hi There
I have written a script that should do something like what you are looking for.
See how you get on with it.
Note: Copy it to notepad and save as a .vbs file. Change the GroupName  to suit (should be line 32 in the script).
Then run the script in a CMD.exe window as:
cscript.exe scriptname.vbs
Hope it helps
 
Regards
Krystian

Option Explicit
 
	Call PwdExpiryInfo
 
Sub PwdExpiryInfo()
' Version 1.0
' Writen by Krystian Karia
' Dated 04/05/2009
 
' Gets a list of users from the group
' specified  and  then  checks  their
' Password Expiry date.
 
' NOTE: Script must be run in a CMD.exe
' window as: CScript.exe ScriptName.vbs
' This is due to the number of outputs
' that is created.
 
 
 
' Catch errors ourselves
' 	On Error Resume Next
 
' Declare Variables
	dim iTimeInterval, iMaxPwdAge
	Dim i, intUACvalue
	Dim dtmPwdChanged
	Dim objUserLDAP
	Dim arrMembers
 
	Const ADS_UF_DONT_EXPIRE_PASSWD = &h10000	
	Const sGroup = "CN=My Group Name,OU=Groups,DC=Domain,DC=local"	' < Spcify your group name here
 
 
 
' Get the list of users from the given group
	arrMembers = GetMembers(sGroup)
		If IsNull(arrMembers) Then
			ShowProgress "Check your group name or its member list"
			EndScript
		End If
		
' Loop each user to check password exiry date
	For i = 0 to UBound(arrMembers)
		If arrMembers(i) <> "" Then
			ShowProgress ""
 
			Set objUserLDAP = GetObject(arrMembers(i))
				intUACvalue = objUserLDAP.Get("userAccountControl")
			
			If intUACvalue And ADS_UF_DONT_EXPIRE_PASSWD Then
				ShowProgress objUserLDAP.sAMAccountName
				ShowProgress " Password does not expire"
			Else
				dtmPwdChanged = objUserLDAP.PasswordLastChanged 
				iTimeInterval = CInt(Now - dtmPwdChanged)
				iMaxPwdAge = GetMaxPwdAge
				
				
					ShowProgress objUserLDAP.sAMAccountName 
					ShowProgress " Password was last changed " & dtmPwdChanged
					ShowProgress " Which was " & iTimeInterval & " days ago"
 
				If iMaxPwdAge < 0 Then
					ShowProgress " Password does not expire (Domain Policy's Maximum Password Age set to 0)"
				Else
					ShowProgress " The Domain Policy Max Password Age is " & iMaxPwdAge & " Days"
		
					If iTimeInterval >= iMaxPwdAge Then
						ShowProgress " The password has expired."
					Else
						ShowProgress " The password will expire in " & CInt((dtmPwdChanged + iMaxPwdAge) - Now()) & " Days"
					End If
				
				End If 'iMaxPwdAge
			End If 'intUACvalue
 
		End If 
	Next ' arrMembers
 
End Sub ' PwdExpiryInfo
 
 
Function GetMembers(strGroup)
' Version 1.4
' Written by Krystian Karia
' Dated 04/05/2009
 
' Returns the LDAP path of each
' user from the given group
 
' Catch errors ourselves
 	On Error Resume Next
 
' Declare variables
    Dim oGroup, oUser
    Dim strName
    Dim arrUsers
    
' Check parameters
	    If strGroup = "" Then
			GetMembers = Null
	        Exit Function
	    End If
 
' Bind to group using the correct ADSI connector
    Set oGroup = GetObject("LDAP://" & strGroup)
		If Err.Number <> 0 Then
			Err.Clear
			ShowProgress "An error occured binding to the group " & strGroup
			GetMembers = Null
        	Exit Function
		End If
 
 
' Loop group members
		For Each oUser In oGroup.Members
	        strName = strName & oUser.ADsPath & vbNewLine
	    Next
 
' Create an array of members
		If Trim(strName) <> "" Then
			arrUsers = Split(strName, vbNewLine)
			GetMembers = arrUsers
		Else
			GetMembers = Null
		End If
 
	Err.Clear
 
 End Function ' GetMembers
 
 
Function GetMaxPwdAge()
' Version 1.0
 
' Returns the Maximum Password Age
' which is usually  set in the GPO
' named "Default Domain Policy"
 
' Catch errors ourselves
 	On Error Resume Next
 
' Declare Variables
	Dim oRootDSE, oDomain, oMaxPwdAge
	Dim lngHighPart, lngLowPart
	Dim strDomainDN
 
' Get the current Domain DN
	Set oRootDSE = GetObject("LDAP://RootDSE")
		strDomainDN = oRootDSE.Get("DefaultNamingContext")
 
' Bind to current Domain
	Set oDomain = GetObject("LDAP://" & strDomainDN)
		Set oMaxPwdAge = oDomain.MaxPwdAge
 
' Get the 2 parts of the Integer8 value to get 2 32 bit values
	lngHighPart = oMaxPwdAge.HighPart
	lngLowPart = oMaxPwdAge.LowPart
 
' If the LowPart is less than 0 then we ned to add 1 to the HighPart
		If (lngLowPart < 0) Then
			lngHighPart = lngHighPart + 1
		End If
	
' Return the value in Days
		GetMaxPwdAge = -((lngHighPart * 2^32) + lngLowPart)/(600000000 * 1440)
 
 
End Function ' GetMaxPwdAge
 
 
Sub ShowProgress(sComment)
 
	WScript.Echo sComment
 
End Sub
 
Sub EndScript
 
	WScript.Quit
	
End Sub

Open in new window

0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
A Stored Procedure in Microsoft SQL Server is a powerful feature that it can be used to execute the Data Manipulation Language (DML) or Data Definition Language (DDL). Depending on business requirements, a single Stored Procedure can return differe…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question