Solved

domain password expire script

Posted on 2009-07-03
5
1,184 Views
Last Modified: 2012-08-13
i need a script that will tell me when all user domain passwors will expire, i have fous some but they are not working, i found this one but it tells me the name is worng. i need to set my password expire GPO and would like to know how many user will be effected
Option Explicit
 
	Call PwdExpiryInfo
 
Sub PwdExpiryInfo()
' Version 1.0
' Writen by Krystian Karia
' Dated 04/05/2009
 
' Gets a list of users from the group
' specified  and  then  checks  their
' Password Expiry date.
 
' NOTE: Script must be run in a CMD.exe
' window as: CScript.exe ScriptName.vbs
' This is due to the number of outputs
' that is created.
 
 
 
' Catch errors ourselves
' 	On Error Resume Next
 
' Declare Variables
	dim iTimeInterval, iMaxPwdAge
	Dim i, intUACvalue
	Dim dtmPwdChanged
	Dim objUserLDAP
	Dim arrMembers
 
	Const ADS_UF_DONT_EXPIRE_PASSWD = &h10000	
	Const sGroup = "CN=Administrators,OU=Groups,DC=Domain,DC=local"	' < Spcify your group name here
 
 
 
' Get the list of users from the given group
	arrMembers = GetMembers(sGroup)
		If IsNull(arrMembers) Then
			ShowProgress "Check your group name or its member list"
			EndScript
		End If
		
' Loop each user to check password exiry date
	For i = 0 to UBound(arrMembers)
		If arrMembers(i) <> "" Then
			ShowProgress ""
 
			Set objUserLDAP = GetObject(arrMembers(i))
				intUACvalue = objUserLDAP.Get("userAccountControl")
			
			If intUACvalue And ADS_UF_DONT_EXPIRE_PASSWD Then
				ShowProgress objUserLDAP.sAMAccountName
				ShowProgress " Password does not expire"
			Else
				dtmPwdChanged = objUserLDAP.PasswordLastChanged 
				iTimeInterval = CInt(Now - dtmPwdChanged)
				iMaxPwdAge = GetMaxPwdAge
				
				
					ShowProgress objUserLDAP.sAMAccountName 
					ShowProgress " Password was last changed " & dtmPwdChanged
					ShowProgress " Which was " & iTimeInterval & " days ago"
 
				If iMaxPwdAge < 0 Then
					ShowProgress " Password does not expire (Domain Policy's Maximum Password Age set to 0)"
				Else
					ShowProgress " The Domain Policy Max Password Age is " & iMaxPwdAge & " Days"
		
					If iTimeInterval >= iMaxPwdAge Then
						ShowProgress " The password has expired."
					Else
						ShowProgress " The password will expire in " & CInt((dtmPwdChanged + iMaxPwdAge) - Now()) & " Days"
					End If
				
				End If 'iMaxPwdAge
			End If 'intUACvalue
 
		End If 
	Next ' arrMembers
 
End Sub ' PwdExpiryInfo
 
 
Function GetMembers(strGroup)
' Version 1.4
' Written by Krystian Karia
' Dated 04/05/2009
 
' Returns the LDAP path of each
' user from the given group
 
' Catch errors ourselves
 	On Error Resume Next
 
' Declare variables
    Dim oGroup, oUser
    Dim strName
    Dim arrUsers
    
' Check parameters
	    If strGroup = "" Then
			GetMembers = Null
	        Exit Function
	    End If
 
' Bind to group using the correct ADSI connector
    Set oGroup = GetObject("LDAP://" & strGroup)
		If Err.Number <> 0 Then
			Err.Clear
			ShowProgress "An error occured binding to the group " & strGroup
			GetMembers = Null
        	Exit Function
		End If
 
 
' Loop group members
		For Each oUser In oGroup.Members
	        strName = strName & oUser.ADsPath & vbNewLine
	    Next
 
' Create an array of members
		If Trim(strName) <> "" Then
			arrUsers = Split(strName, vbNewLine)
			GetMembers = arrUsers
		Else
			GetMembers = Null
		End If
 
	Err.Clear
 
 End Function ' GetMembers
 
 
Function GetMaxPwdAge()
' Version 1.0
 
' Returns the Maximum Password Age
' which is usually  set in the GPO
' named "Default Domain Policy"
 
' Catch errors ourselves
 	On Error Resume Next
 
' Declare Variables
	Dim oRootDSE, oDomain, oMaxPwdAge
	Dim lngHighPart, lngLowPart
	Dim strDomainDN
 
' Get the current Domain DN
	Set oRootDSE = GetObject("LDAP://RootDSE")
		strDomainDN = oRootDSE.Get("DefaultNamingContext")
 
' Bind to current Domain
	Set oDomain = GetObject("LDAP://" & strDomainDN)
		Set oMaxPwdAge = oDomain.MaxPwdAge
 
' Get the 2 parts of the Integer8 value to get 2 32 bit values
	lngHighPart = oMaxPwdAge.HighPart
	lngLowPart = oMaxPwdAge.LowPart
 
' If the LowPart is less than 0 then we ned to add 1 to the HighPart
		If (lngLowPart < 0) Then
			lngHighPart = lngHighPart + 1
		End If
	
' Return the value in Days
		GetMaxPwdAge = -((lngHighPart * 2^32) + lngLowPart)/(600000000 * 1440)
 
 
End Function ' GetMaxPwdAge
 
 
Sub ShowProgress(sComment)
 
	WScript.Echo sComment
 
End Sub
 
Sub EndScript
 
	WScript.Quit
	
End Sub

Open in new window

0
Comment
Question by:Cecilpierce
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
5 Comments
 
LVL 14

Accepted Solution

by:
Shabarinath Ramadasan earned 500 total points
ID: 24776935
I would prefer using POWERSHELL herer.
Install quest Powershell for Activedirectory

Use this commnad
Get-QADUser |select-object displayname, passwordstatus

Cheerio
Shaba
Get-QADUser |select-object displayname, passwordstatus

Open in new window

0
 

Author Comment

by:Cecilpierce
ID: 24827633
sorry did know you replied, i tried to run your command but gut and error



Windows PowerShell
Copyright (C) 2006 Microsoft Corporation. All rights reserved.

PS C:\WINDOWS\system32> Get-QADUser |select-object displayname, passwordstatus
The term 'Get-QADUser' is not recognized as a cmdlet, function, operable progra
m, or script file. Verify the term and try again.
At line:1 char:12
+ Get-QADUser  <<<< |select-object displayname, passwordstatus
PS C:\WINDOWS\system32>

0
 

Author Comment

by:Cecilpierce
ID: 24828120
perfect got it working! thank you so much
0
 

Author Closing Comment

by:Cecilpierce
ID: 31599670
just never used power shell, but i got it now
0
 

Author Comment

by:Cecilpierce
ID: 24862876
i need some clairafacation on this command, yes it did return the value of when the passwords expire for some users but not all users! it only shows for the months from present date to november. any ideas as why to this
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Time server on domain 3 62
Master DC completely died 15 72
ADFS: AADSTS50107: Requested federation realm object 8 98
Unable to Get RDP Certificate via Template 6 30
This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

737 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question