Looking to find way to identify all users who must change their password at next logon.

Do you mean because of password age policy? Or because the box has been ticked? Or both?

Chris

Basically, I am looking to get rid of lots of users that have never logged in.  We figured the best way to do that would be to get a list of users that still have the box checked.

Then Mike's suggestion will do quite nicely unless you wanted a specific scripting language :)

Chris

I haven't used Adfind in a while, but it seems to work in this case.  I am getting some false positives though (users are listed in ADfind when I run the command you mentioned that don't have to change their passwords at next login).  

Any ideas?

Have those users ever set their password (are they new users for example)

I got a total of 377 users returned so I haven't checked all of them.  The ones I have checked can't change their passwords and their passwords don't expire.  For example the default guest account is listed even though it doesn't have to change its password and it is disabled.  Other accounts that are listed aren't disabled.

Good suggestion by Chris as usual
if you ant to filter to only include the enabled accounts use
adfind -default -bit -f  "&(objectcategory=person)(objectclass=user)(pwdlastset=0)(!userAccountControl:AND:=2)"  samaccountname  
Thanks
Mike

Chucking in Password Never Expires should give this:

adfind -default -bit -f  "&(objectcategory=person)(objectclass=user)(pwdlastset=0)(!userAccountControl:AND:=2)(!userAccountControl:AND:=64)"  samaccountname  

The values for the flags are here:

http://msdn.microsoft.com/en-us/library/aa772300%28VS.85%29.aspx

Just don't try using the Cannot Change Password flag, it won't do any good :)

You know, wouldn't it be better to check lastLogonTimeStamp? Should be 01/01/1601 00:00:00 (MS Epoch) for accounts that never logged in shouldn't it?

Chris

The program DumpSec, distributed by SomarSoft, Inc., provides reports on the contents of the SAM database.

This program is not a part of the basic Windows Server 2003 installation, and must be acquired separately.  This program is also distributed under the name DumpACL.

This program is accessed through the following procedures:

      Click on the Start button.
Select Run from the Start Menu.
In the Run dialog box, enter the explicit path of the DumpSec
application in the Open field.
Click on the OK button.

Upon completion, the DumpSec application should appear:
"       Select Dump Users as Table from the Report menu.
"      Select the available fields in the following sequence, and click on the Add button for each entry:
UserName
SID
PswdRequired
PswdExpires
PswdLastSetTime
LastLogonTime
AcctDisabled
Groups
"      Click OK to proceed.



Note:  When DumpSec is run on a domain controller, check the box for Show true last logon time (i.e. search all logon servers).
Next, compare the reports output with the following check procedures.  Some user accounts may appear repetitively, because Groups is included in the report.
examining the time in the LastLogonTime column will help with dormant accounts

Or
The following commands can be used on Windows 2003 Active Directory if DumpSec cannot be run.  

Open a Command Prompt
Enter Dsquery user inactive 5 o rdn (This command will only work if the Domain is at Windows Server 2003 functional level, not Windows 2000 Native.)
A list of User Accounts that have been inactive for five weeks will be displayed.

Disabled Accounts can be determined by using the following
Enter Dsquery user disabled o rdn 

Look at this thread - if your okay using Powershell

hXXp://www.vistax64.com/powershell/201888-script-determine-password-expire-date-send-email-notificati-3.html

Personally I recommend these:

Accept: mkline71 (http:#26194413)
Assist: Chris-Dent (http:#26194882)

Author feedback would be good of course :)

Cheers,

Chris

To the author, they are all decent answers it depends on the method you are trying to use

I should explain why I didn't include those in my recommendation above.

While DumpSec is a good suggestion the manner in which the suggestion was posted is, in my opinion, somewhat lacking. It is a copy and paste from this:

http://teams.umkc.edu/campus/Security/Shared%20Documents/Server%20Security%20Checklist/W2K3%20Checklist%20-%20Section%205.DOC

It doesn't explicitly contain a copyright notice, but it is not original work and should not have been posted without a link citing the source.

I know the final link well, it's a link to a thread on the Powershell newsgroup run by MS. It does contain a number of fine examples, but I feel it would be very hard to pick them out, especially starting at page 3 when I get involved with debugging the scripts.

Chris

That is quite interesting since the text was paraphrased from a DoD document, I will investigate further.  Thanks for the information.