Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 647
  • Last Modified:

Looking to find way to identify all users who must change their password at next logon.

I need to identify all users that have to change their password the next time they login.
0
laverneuniv
Asked:
laverneuniv
  • 6
  • 3
  • 3
  • +2
2 Solutions
 
Chris DentPowerShell DeveloperCommented:

Do you mean because of password age policy? Or because the box has been ticked? Or both?

Chris
0
 
Mike KlineCommented:
Try adfind by Joe Richards
http://www.joeware.net/freetools/tools/adfind/index.htm
adfind -default -f "&(objectcategory=person)(objectclass=user)(pwdlastset=0)"  samaccountname
That is if the check box is checked on the account.
Thanks
Mike
0
 
laverneunivAuthor Commented:
Basically, I am looking to get rid of lots of users that have never logged in.  We figured the best way to do that would be to get a list of users that still have the box checked.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
Chris DentPowerShell DeveloperCommented:

Then Mike's suggestion will do quite nicely unless you wanted a specific scripting language :)

Chris
0
 
laverneunivAuthor Commented:
I haven't used Adfind in a while, but it seems to work in this case.  I am getting some false positives though (users are listed in ADfind when I run the command you mentioned that don't have to change their passwords at next login).  

Any ideas?
0
 
Mike KlineCommented:
Have those users ever set their password (are they new users for example)
0
 
laverneunivAuthor Commented:
I got a total of 377 users returned so I haven't checked all of them.  The ones I have checked can't change their passwords and their passwords don't expire.  For example the default guest account is listed even though it doesn't have to change its password and it is disabled.  Other accounts that are listed aren't disabled.
0
 
Chris DentPowerShell DeveloperCommented:

The Guest account will never have had a password set so pwdLastSet will be 0, even if the box isn't ticked. Perhaps include a filter to exclude disabled accounts and those with password never expires from the return?

We won't be able to trivially filter out password cannot change, requires enumeration of the security descriptor (although I wouldn't be too surprised to find ADFind can do that :)).

Chris
0
 
Mike KlineCommented:
Good suggestion by Chris as usual
if you ant to filter to only include the enabled accounts use
adfind -default -bit -f  "&(objectcategory=person)(objectclass=user)(pwdlastset=0)(!userAccountControl:AND:=2)"  samaccountname  
Thanks
Mike
0
 
Chris DentPowerShell DeveloperCommented:

Chucking in Password Never Expires should give this:

adfind -default -bit -f  "&(objectcategory=person)(objectclass=user)(pwdlastset=0)(!userAccountControl:AND:=2)(!userAccountControl:AND:=64)"  samaccountname  

The values for the flags are here:

http://msdn.microsoft.com/en-us/library/aa772300%28VS.85%29.aspx

Just don't try using the Cannot Change Password flag, it won't do any good :)

You know, wouldn't it be better to check lastLogonTimeStamp? Should be 01/01/1601 00:00:00 (MS Epoch) for accounts that never logged in shouldn't it?

Chris
0
 
skanderonCommented:
The program DumpSec, distributed by SomarSoft, Inc., provides reports on the contents of the SAM database.

This program is not a part of the basic Windows Server 2003 installation, and must be acquired separately.  This program is also distributed under the name DumpACL.

This program is accessed through the following procedures:

      Click on the Start button.
Select Run from the Start Menu.
In the Run dialog box, enter the explicit path of the DumpSec
application in the Open field.
Click on the OK button.

Upon completion, the DumpSec application should appear:
"       Select Dump Users as Table from the Report menu.
"      Select the available fields in the following sequence, and click on the Add button for each entry:
UserName
SID
PswdRequired
PswdExpires
PswdLastSetTime
LastLogonTime
AcctDisabled
Groups
"      Click OK to proceed.



Note:  When DumpSec is run on a domain controller, check the box for Show true last logon time (i.e. search all logon servers).
Next, compare the reports output with the following check procedures.  Some user accounts may appear repetitively, because Groups is included in the report.
examining the time in the LastLogonTime column will help with dormant accounts

Or
The following commands can be used on Windows 2003 Active Directory if DumpSec cannot be run.  

Open a Command Prompt
Enter Dsquery user inactive 5 o rdn (This command will only work if the Domain is at Windows Server 2003 functional level, not Windows 2000 Native.)
A list of User Accounts that have been inactive for five weeks will be displayed.

Disabled Accounts can be determined by using the following
Enter Dsquery user disabled o rdn 




0
 
CamecoITCommented:
0
 
Chris DentPowerShell DeveloperCommented:
Personally I recommend these:

Accept: mkline71 (http:#26194413)
Assist: Chris-Dent (http:#26194882)

Author feedback would be good of course :)

Cheers,

Chris
0
 
skanderonCommented:
To the author, they are all decent answers it depends on the method you are trying to use
0
 
Chris DentPowerShell DeveloperCommented:
I should explain why I didn't include those in my recommendation above.

While DumpSec is a good suggestion the manner in which the suggestion was posted is, in my opinion, somewhat lacking. It is a copy and paste from this:

http://teams.umkc.edu/campus/Security/Shared%20Documents/Server%20Security%20Checklist/W2K3%20Checklist%20-%20Section%205.DOC

It doesn't explicitly contain a copyright notice, but it is not original work and should not have been posted without a link citing the source.

I know the final link well, it's a link to a thread on the Powershell newsgroup run by MS. It does contain a number of fine examples, but I feel it would be very hard to pick them out, especially starting at page 3 when I get involved with debugging the scripts.

Chris
0
 
skanderonCommented:
That is quite interesting since the text was paraphrased from a DoD document, I will investigate further.  Thanks for the information.
0

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

  • 6
  • 3
  • 3
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now