Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

domain password expire script

Posted on 2009-07-03
5
Medium Priority
?
1,187 Views
Last Modified: 2012-08-13
i need a script that will tell me when all user domain passwors will expire, i have fous some but they are not working, i found this one but it tells me the name is worng. i need to set my password expire GPO and would like to know how many user will be effected
Option Explicit
 
	Call PwdExpiryInfo
 
Sub PwdExpiryInfo()
' Version 1.0
' Writen by Krystian Karia
' Dated 04/05/2009
 
' Gets a list of users from the group
' specified  and  then  checks  their
' Password Expiry date.
 
' NOTE: Script must be run in a CMD.exe
' window as: CScript.exe ScriptName.vbs
' This is due to the number of outputs
' that is created.
 
 
 
' Catch errors ourselves
' 	On Error Resume Next
 
' Declare Variables
	dim iTimeInterval, iMaxPwdAge
	Dim i, intUACvalue
	Dim dtmPwdChanged
	Dim objUserLDAP
	Dim arrMembers
 
	Const ADS_UF_DONT_EXPIRE_PASSWD = &h10000	
	Const sGroup = "CN=Administrators,OU=Groups,DC=Domain,DC=local"	' < Spcify your group name here
 
 
 
' Get the list of users from the given group
	arrMembers = GetMembers(sGroup)
		If IsNull(arrMembers) Then
			ShowProgress "Check your group name or its member list"
			EndScript
		End If
		
' Loop each user to check password exiry date
	For i = 0 to UBound(arrMembers)
		If arrMembers(i) <> "" Then
			ShowProgress ""
 
			Set objUserLDAP = GetObject(arrMembers(i))
				intUACvalue = objUserLDAP.Get("userAccountControl")
			
			If intUACvalue And ADS_UF_DONT_EXPIRE_PASSWD Then
				ShowProgress objUserLDAP.sAMAccountName
				ShowProgress " Password does not expire"
			Else
				dtmPwdChanged = objUserLDAP.PasswordLastChanged 
				iTimeInterval = CInt(Now - dtmPwdChanged)
				iMaxPwdAge = GetMaxPwdAge
				
				
					ShowProgress objUserLDAP.sAMAccountName 
					ShowProgress " Password was last changed " & dtmPwdChanged
					ShowProgress " Which was " & iTimeInterval & " days ago"
 
				If iMaxPwdAge < 0 Then
					ShowProgress " Password does not expire (Domain Policy's Maximum Password Age set to 0)"
				Else
					ShowProgress " The Domain Policy Max Password Age is " & iMaxPwdAge & " Days"
		
					If iTimeInterval >= iMaxPwdAge Then
						ShowProgress " The password has expired."
					Else
						ShowProgress " The password will expire in " & CInt((dtmPwdChanged + iMaxPwdAge) - Now()) & " Days"
					End If
				
				End If 'iMaxPwdAge
			End If 'intUACvalue
 
		End If 
	Next ' arrMembers
 
End Sub ' PwdExpiryInfo
 
 
Function GetMembers(strGroup)
' Version 1.4
' Written by Krystian Karia
' Dated 04/05/2009
 
' Returns the LDAP path of each
' user from the given group
 
' Catch errors ourselves
 	On Error Resume Next
 
' Declare variables
    Dim oGroup, oUser
    Dim strName
    Dim arrUsers
    
' Check parameters
	    If strGroup = "" Then
			GetMembers = Null
	        Exit Function
	    End If
 
' Bind to group using the correct ADSI connector
    Set oGroup = GetObject("LDAP://" & strGroup)
		If Err.Number <> 0 Then
			Err.Clear
			ShowProgress "An error occured binding to the group " & strGroup
			GetMembers = Null
        	Exit Function
		End If
 
 
' Loop group members
		For Each oUser In oGroup.Members
	        strName = strName & oUser.ADsPath & vbNewLine
	    Next
 
' Create an array of members
		If Trim(strName) <> "" Then
			arrUsers = Split(strName, vbNewLine)
			GetMembers = arrUsers
		Else
			GetMembers = Null
		End If
 
	Err.Clear
 
 End Function ' GetMembers
 
 
Function GetMaxPwdAge()
' Version 1.0
 
' Returns the Maximum Password Age
' which is usually  set in the GPO
' named "Default Domain Policy"
 
' Catch errors ourselves
 	On Error Resume Next
 
' Declare Variables
	Dim oRootDSE, oDomain, oMaxPwdAge
	Dim lngHighPart, lngLowPart
	Dim strDomainDN
 
' Get the current Domain DN
	Set oRootDSE = GetObject("LDAP://RootDSE")
		strDomainDN = oRootDSE.Get("DefaultNamingContext")
 
' Bind to current Domain
	Set oDomain = GetObject("LDAP://" & strDomainDN)
		Set oMaxPwdAge = oDomain.MaxPwdAge
 
' Get the 2 parts of the Integer8 value to get 2 32 bit values
	lngHighPart = oMaxPwdAge.HighPart
	lngLowPart = oMaxPwdAge.LowPart
 
' If the LowPart is less than 0 then we ned to add 1 to the HighPart
		If (lngLowPart < 0) Then
			lngHighPart = lngHighPart + 1
		End If
	
' Return the value in Days
		GetMaxPwdAge = -((lngHighPart * 2^32) + lngLowPart)/(600000000 * 1440)
 
 
End Function ' GetMaxPwdAge
 
 
Sub ShowProgress(sComment)
 
	WScript.Echo sComment
 
End Sub
 
Sub EndScript
 
	WScript.Quit
	
End Sub

Open in new window

0
Comment
Question by:Cecilpierce
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
5 Comments
 
LVL 14

Accepted Solution

by:
Shabarinath Ramadasan earned 2000 total points
ID: 24776935
I would prefer using POWERSHELL herer.
Install quest Powershell for Activedirectory

Use this commnad
Get-QADUser |select-object displayname, passwordstatus

Cheerio
Shaba
Get-QADUser |select-object displayname, passwordstatus

Open in new window

0
 

Author Comment

by:Cecilpierce
ID: 24827633
sorry did know you replied, i tried to run your command but gut and error



Windows PowerShell
Copyright (C) 2006 Microsoft Corporation. All rights reserved.

PS C:\WINDOWS\system32> Get-QADUser |select-object displayname, passwordstatus
The term 'Get-QADUser' is not recognized as a cmdlet, function, operable progra
m, or script file. Verify the term and try again.
At line:1 char:12
+ Get-QADUser  <<<< |select-object displayname, passwordstatus
PS C:\WINDOWS\system32>

0
 

Author Comment

by:Cecilpierce
ID: 24828120
perfect got it working! thank you so much
0
 

Author Closing Comment

by:Cecilpierce
ID: 31599670
just never used power shell, but i got it now
0
 

Author Comment

by:Cecilpierce
ID: 24862876
i need some clairafacation on this command, yes it did return the value of when the passwords expire for some users but not all users! it only shows for the months from present date to november. any ideas as why to this
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question