domain password expire script

Posted on 2009-07-03
Last Modified: 2012-08-13
i need a script that will tell me when all user domain passwors will expire, i have fous some but they are not working, i found this one but it tells me the name is worng. i need to set my password expire GPO and would like to know how many user will be effected
Option Explicit


	Call PwdExpiryInfo


Sub PwdExpiryInfo()

' Version 1.0

' Writen by Krystian Karia

' Dated 04/05/2009


' Gets a list of users from the group

' specified  and  then  checks  their

' Password Expiry date.


' NOTE: Script must be run in a CMD.exe

' window as: CScript.exe ScriptName.vbs

' This is due to the number of outputs

' that is created.




' Catch errors ourselves

' 	On Error Resume Next


' Declare Variables

	dim iTimeInterval, iMaxPwdAge

	Dim i, intUACvalue

	Dim dtmPwdChanged

	Dim objUserLDAP

	Dim arrMembers



	Const sGroup = "CN=Administrators,OU=Groups,DC=Domain,DC=local"	' < Spcify your group name here




' Get the list of users from the given group

	arrMembers = GetMembers(sGroup)

		If IsNull(arrMembers) Then

			ShowProgress "Check your group name or its member list"


		End If


' Loop each user to check password exiry date

	For i = 0 to UBound(arrMembers)

		If arrMembers(i) <> "" Then

			ShowProgress ""


			Set objUserLDAP = GetObject(arrMembers(i))

				intUACvalue = objUserLDAP.Get("userAccountControl")



				ShowProgress objUserLDAP.sAMAccountName

				ShowProgress " Password does not expire"


				dtmPwdChanged = objUserLDAP.PasswordLastChanged 

				iTimeInterval = CInt(Now - dtmPwdChanged)

				iMaxPwdAge = GetMaxPwdAge



					ShowProgress objUserLDAP.sAMAccountName 

					ShowProgress " Password was last changed " & dtmPwdChanged

					ShowProgress " Which was " & iTimeInterval & " days ago"


				If iMaxPwdAge < 0 Then

					ShowProgress " Password does not expire (Domain Policy's Maximum Password Age set to 0)"


					ShowProgress " The Domain Policy Max Password Age is " & iMaxPwdAge & " Days"


					If iTimeInterval >= iMaxPwdAge Then

						ShowProgress " The password has expired."


						ShowProgress " The password will expire in " & CInt((dtmPwdChanged + iMaxPwdAge) - Now()) & " Days"

					End If


				End If 'iMaxPwdAge

			End If 'intUACvalue


		End If 

	Next ' arrMembers


End Sub ' PwdExpiryInfo



Function GetMembers(strGroup)

' Version 1.4

' Written by Krystian Karia

' Dated 04/05/2009


' Returns the LDAP path of each

' user from the given group


' Catch errors ourselves

 	On Error Resume Next


' Declare variables

    Dim oGroup, oUser

    Dim strName

    Dim arrUsers


' Check parameters

	    If strGroup = "" Then

			GetMembers = Null

	        Exit Function

	    End If


' Bind to group using the correct ADSI connector

    Set oGroup = GetObject("LDAP://" & strGroup)

		If Err.Number <> 0 Then


			ShowProgress "An error occured binding to the group " & strGroup

			GetMembers = Null

        	Exit Function

		End If



' Loop group members

		For Each oUser In oGroup.Members

	        strName = strName & oUser.ADsPath & vbNewLine



' Create an array of members

		If Trim(strName) <> "" Then

			arrUsers = Split(strName, vbNewLine)

			GetMembers = arrUsers


			GetMembers = Null

		End If




 End Function ' GetMembers



Function GetMaxPwdAge()

' Version 1.0


' Returns the Maximum Password Age

' which is usually  set in the GPO

' named "Default Domain Policy"


' Catch errors ourselves

 	On Error Resume Next


' Declare Variables

	Dim oRootDSE, oDomain, oMaxPwdAge

	Dim lngHighPart, lngLowPart

	Dim strDomainDN


' Get the current Domain DN

	Set oRootDSE = GetObject("LDAP://RootDSE")

		strDomainDN = oRootDSE.Get("DefaultNamingContext")


' Bind to current Domain

	Set oDomain = GetObject("LDAP://" & strDomainDN)

		Set oMaxPwdAge = oDomain.MaxPwdAge


' Get the 2 parts of the Integer8 value to get 2 32 bit values

	lngHighPart = oMaxPwdAge.HighPart

	lngLowPart = oMaxPwdAge.LowPart


' If the LowPart is less than 0 then we ned to add 1 to the HighPart

		If (lngLowPart < 0) Then

			lngHighPart = lngHighPart + 1

		End If


' Return the value in Days

		GetMaxPwdAge = -((lngHighPart * 2^32) + lngLowPart)/(600000000 * 1440)



End Function ' GetMaxPwdAge



Sub ShowProgress(sComment)


	WScript.Echo sComment


End Sub


Sub EndScript




End Sub

Open in new window

Question by:Cecilpierce
  • 4
LVL 14

Accepted Solution

Shabarinath Ramadasan earned 500 total points
ID: 24776935
I would prefer using POWERSHELL herer.
Install quest Powershell for Activedirectory

Use this commnad
Get-QADUser |select-object displayname, passwordstatus

Get-QADUser |select-object displayname, passwordstatus

Open in new window


Author Comment

ID: 24827633
sorry did know you replied, i tried to run your command but gut and error

Windows PowerShell
Copyright (C) 2006 Microsoft Corporation. All rights reserved.

PS C:\WINDOWS\system32> Get-QADUser |select-object displayname, passwordstatus
The term 'Get-QADUser' is not recognized as a cmdlet, function, operable progra
m, or script file. Verify the term and try again.
At line:1 char:12
+ Get-QADUser  <<<< |select-object displayname, passwordstatus
PS C:\WINDOWS\system32>


Author Comment

ID: 24828120
perfect got it working! thank you so much

Author Closing Comment

ID: 31599670
just never used power shell, but i got it now

Author Comment

ID: 24862876
i need some clairafacation on this command, yes it did return the value of when the passwords expire for some users but not all users! it only shows for the months from present date to november. any ideas as why to this

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Companies that have implemented Microsoft’s Active Directory need to ensure that the Active Directory is configured and operating properly. If there are issues found and not resolved, it eventually leads the components to fail or stop working and fi…
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

932 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now