Solved

Active Directory Query

Posted on 2009-07-08
4
274 Views
Last Modified: 2012-05-07
I need to have someone explain to me how I can create a query in Windows 2003 AD that will allow me to query for user accounts that have no Account expiration date.  I tried the query wizard but could not find a selection with this account field for the descriptor.

0
Comment
Question by:rcaaron78
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 71

Accepted Solution

by:
Chris Dent earned 500 total points
ID: 24803335

Hey,

A custom search should do it. You're using AD Users and Computers for this?

The trick is, AccountExpires, the attribute behind the named box has an odd value if the account never expires.

So, give this a try in the Custom Search, Advanced box:

(&(objectClass=user)(objectCategory=person)(accountExpires=9223372036854775807))

It should give you every user account which doesn't expire.

Chris
0
 
LVL 7

Expert Comment

by:mchkorg
ID: 24811652
If you can use powershell - to automate the job once it's running fine

- install the powershell Quest's extensions - http://www.quest.com/powershell/
- adapt this powershell script and run it with an account having domain admin right

(if you run it "as this", it'll create a .CSV file with many fields you might not want)

At the end, call it from a .bat file, schedule it in windows

'hope it helps

Add-PSSnapin Quest.ActiveRoles.ADManagement
 
 
# ADAPT THIS:
$OU="OU=Userss,DC=yourcompany,DC=com"
 
$users = Get-QADUser -SearchRoot $OU -IncludedProperties "lastLogonTimestamp"
 
@(foreach($user in $users)
{
 
    $user | Select-Object parentContainer,DisplayName, LastLogonTimestamp,samaccountname,mail,accountexpires, `
    passwordLastSet, passwordExpires, accountIsDisabled, accountIsLockedOut, passwordNeverExpires, `
    userMustchangePassword
}) | export-Csv AD_lastlogon.csv -noType -encoding UTF8

Open in new window

0
 

Author Closing Comment

by:rcaaron78
ID: 31601055
Your solution was the correct query to ask, but the value that you gave only yielded about 10% of the affected users.  By changing this value to 0, I was able to get the query to return every user affected except one.  
0
 

Author Comment

by:rcaaron78
ID: 24860871
Chris,

I forgot to thank you for the solution.  For the most part, it worked great!  Take care.

Richard Aaron
Network Analyst
DRS TSI
Baghdad, Iraq
0

Featured Post

Salesforce Has Never Been Easier

Improve and reinforce salesforce training & adoption using WalkMe's digital adoption platform. Start saving on costly employee training by creating fast intuitive Walk-Thrus for Salesforce. Claim your Free Account Now

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article runs through the process of deploying a single EXE application selectively to a group of user.
This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question