Solved

domain password expire script

Posted on 2009-07-03
5
1,183 Views
Last Modified: 2012-08-13
i need a script that will tell me when all user domain passwors will expire, i have fous some but they are not working, i found this one but it tells me the name is worng. i need to set my password expire GPO and would like to know how many user will be effected
Option Explicit
 
	Call PwdExpiryInfo
 
Sub PwdExpiryInfo()
' Version 1.0
' Writen by Krystian Karia
' Dated 04/05/2009
 
' Gets a list of users from the group
' specified  and  then  checks  their
' Password Expiry date.
 
' NOTE: Script must be run in a CMD.exe
' window as: CScript.exe ScriptName.vbs
' This is due to the number of outputs
' that is created.
 
 
 
' Catch errors ourselves
' 	On Error Resume Next
 
' Declare Variables
	dim iTimeInterval, iMaxPwdAge
	Dim i, intUACvalue
	Dim dtmPwdChanged
	Dim objUserLDAP
	Dim arrMembers
 
	Const ADS_UF_DONT_EXPIRE_PASSWD = &h10000	
	Const sGroup = "CN=Administrators,OU=Groups,DC=Domain,DC=local"	' < Spcify your group name here
 
 
 
' Get the list of users from the given group
	arrMembers = GetMembers(sGroup)
		If IsNull(arrMembers) Then
			ShowProgress "Check your group name or its member list"
			EndScript
		End If
		
' Loop each user to check password exiry date
	For i = 0 to UBound(arrMembers)
		If arrMembers(i) <> "" Then
			ShowProgress ""
 
			Set objUserLDAP = GetObject(arrMembers(i))
				intUACvalue = objUserLDAP.Get("userAccountControl")
			
			If intUACvalue And ADS_UF_DONT_EXPIRE_PASSWD Then
				ShowProgress objUserLDAP.sAMAccountName
				ShowProgress " Password does not expire"
			Else
				dtmPwdChanged = objUserLDAP.PasswordLastChanged 
				iTimeInterval = CInt(Now - dtmPwdChanged)
				iMaxPwdAge = GetMaxPwdAge
				
				
					ShowProgress objUserLDAP.sAMAccountName 
					ShowProgress " Password was last changed " & dtmPwdChanged
					ShowProgress " Which was " & iTimeInterval & " days ago"
 
				If iMaxPwdAge < 0 Then
					ShowProgress " Password does not expire (Domain Policy's Maximum Password Age set to 0)"
				Else
					ShowProgress " The Domain Policy Max Password Age is " & iMaxPwdAge & " Days"
		
					If iTimeInterval >= iMaxPwdAge Then
						ShowProgress " The password has expired."
					Else
						ShowProgress " The password will expire in " & CInt((dtmPwdChanged + iMaxPwdAge) - Now()) & " Days"
					End If
				
				End If 'iMaxPwdAge
			End If 'intUACvalue
 
		End If 
	Next ' arrMembers
 
End Sub ' PwdExpiryInfo
 
 
Function GetMembers(strGroup)
' Version 1.4
' Written by Krystian Karia
' Dated 04/05/2009
 
' Returns the LDAP path of each
' user from the given group
 
' Catch errors ourselves
 	On Error Resume Next
 
' Declare variables
    Dim oGroup, oUser
    Dim strName
    Dim arrUsers
    
' Check parameters
	    If strGroup = "" Then
			GetMembers = Null
	        Exit Function
	    End If
 
' Bind to group using the correct ADSI connector
    Set oGroup = GetObject("LDAP://" & strGroup)
		If Err.Number <> 0 Then
			Err.Clear
			ShowProgress "An error occured binding to the group " & strGroup
			GetMembers = Null
        	Exit Function
		End If
 
 
' Loop group members
		For Each oUser In oGroup.Members
	        strName = strName & oUser.ADsPath & vbNewLine
	    Next
 
' Create an array of members
		If Trim(strName) <> "" Then
			arrUsers = Split(strName, vbNewLine)
			GetMembers = arrUsers
		Else
			GetMembers = Null
		End If
 
	Err.Clear
 
 End Function ' GetMembers
 
 
Function GetMaxPwdAge()
' Version 1.0
 
' Returns the Maximum Password Age
' which is usually  set in the GPO
' named "Default Domain Policy"
 
' Catch errors ourselves
 	On Error Resume Next
 
' Declare Variables
	Dim oRootDSE, oDomain, oMaxPwdAge
	Dim lngHighPart, lngLowPart
	Dim strDomainDN
 
' Get the current Domain DN
	Set oRootDSE = GetObject("LDAP://RootDSE")
		strDomainDN = oRootDSE.Get("DefaultNamingContext")
 
' Bind to current Domain
	Set oDomain = GetObject("LDAP://" & strDomainDN)
		Set oMaxPwdAge = oDomain.MaxPwdAge
 
' Get the 2 parts of the Integer8 value to get 2 32 bit values
	lngHighPart = oMaxPwdAge.HighPart
	lngLowPart = oMaxPwdAge.LowPart
 
' If the LowPart is less than 0 then we ned to add 1 to the HighPart
		If (lngLowPart < 0) Then
			lngHighPart = lngHighPart + 1
		End If
	
' Return the value in Days
		GetMaxPwdAge = -((lngHighPart * 2^32) + lngLowPart)/(600000000 * 1440)
 
 
End Function ' GetMaxPwdAge
 
 
Sub ShowProgress(sComment)
 
	WScript.Echo sComment
 
End Sub
 
Sub EndScript
 
	WScript.Quit
	
End Sub

Open in new window

0
Comment
Question by:Cecilpierce
  • 4
5 Comments
 
LVL 14

Accepted Solution

by:
Shabarinath Ramadasan earned 500 total points
ID: 24776935
I would prefer using POWERSHELL herer.
Install quest Powershell for Activedirectory

Use this commnad
Get-QADUser |select-object displayname, passwordstatus

Cheerio
Shaba
Get-QADUser |select-object displayname, passwordstatus

Open in new window

0
 

Author Comment

by:Cecilpierce
ID: 24827633
sorry did know you replied, i tried to run your command but gut and error



Windows PowerShell
Copyright (C) 2006 Microsoft Corporation. All rights reserved.

PS C:\WINDOWS\system32> Get-QADUser |select-object displayname, passwordstatus
The term 'Get-QADUser' is not recognized as a cmdlet, function, operable progra
m, or script file. Verify the term and try again.
At line:1 char:12
+ Get-QADUser  <<<< |select-object displayname, passwordstatus
PS C:\WINDOWS\system32>

0
 

Author Comment

by:Cecilpierce
ID: 24828120
perfect got it working! thank you so much
0
 

Author Closing Comment

by:Cecilpierce
ID: 31599670
just never used power shell, but i got it now
0
 

Author Comment

by:Cecilpierce
ID: 24862876
i need some clairafacation on this command, yes it did return the value of when the passwords expire for some users but not all users! it only shows for the months from present date to november. any ideas as why to this
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

680 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question