asked on

Active Directory Query

I need to have someone explain to me how I can create a query in Windows 2003 AD that will allow me to query for user accounts that have no Account expiration date. I tried the query wizard but could not find a selection with this account field for the descriptor.

ASKER CERTIFIED SOLUTION

Chris Dent

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

mchkorg

If you can use powershell - to automate the job once it's running fine

- install the powershell Quest's extensions - http://www.quest.com/powershell/
- adapt this powershell script and run it with an account having domain admin right

(if you run it "as this", it'll create a .CSV file with many fields you might not want)

At the end, call it from a .bat file, schedule it in windows

'hope it helps

Add-PSSnapin Quest.ActiveRoles.ADManagement
 
 
# ADAPT THIS:
$OU="OU=Userss,DC=yourcompany,DC=com"
 
$users = Get-QADUser -SearchRoot $OU -IncludedProperties "lastLogonTimestamp"
 
@(foreach($user in $users)
{
 
    $user | Select-Object parentContainer,DisplayName, LastLogonTimestamp,samaccountname,mail,accountexpires, `
    passwordLastSet, passwordExpires, accountIsDisabled, accountIsLockedOut, passwordNeverExpires, `
    userMustchangePassword
}) | export-Csv AD_lastlogon.csv -noType -encoding UTF8

Open in new window

rcaaron78

ASKER

Your solution was the correct query to ask, but the value that you gave only yielded about 10% of the affected users. By changing this value to 0, I was able to get the query to return every user affected except one.

rcaaron78

ASKER

Chris,

I forgot to thank you for the solution. For the most part, it worked great! Take care.

Richard Aaron
Network Analyst
DRS TSI
Baghdad, Iraq