laverneuniv
asked on
Looking to find way to identify all users who must change their password at next logon.
I need to identify all users that have to change their password the next time they login.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Basically, I am looking to get rid of lots of users that have never logged in. We figured the best way to do that would be to get a list of users that still have the box checked.
Then Mike's suggestion will do quite nicely unless you wanted a specific scripting language :)
Chris
ASKER
I haven't used Adfind in a while, but it seems to work in this case. I am getting some false positives though (users are listed in ADfind when I run the command you mentioned that don't have to change their passwords at next login).
Any ideas?
Any ideas?
Have those users ever set their password (are they new users for example)
ASKER
I got a total of 377 users returned so I haven't checked all of them. The ones I have checked can't change their passwords and their passwords don't expire. For example the default guest account is listed even though it doesn't have to change its password and it is disabled. Other accounts that are listed aren't disabled.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Good suggestion by Chris as usual
if you ant to filter to only include the enabled accounts use
adfind -default -bit -f "&(objectcategory=person)( objectclas s=user)(pw dlastset=0 )(!userAcc ountContro l:AND:=2)" samaccountname
Thanks
Mike
if you ant to filter to only include the enabled accounts use
adfind -default -bit -f "&(objectcategory=person)(
Thanks
Mike
Chucking in Password Never Expires should give this:
adfind -default -bit -f "&(objectcategory=person)(
The values for the flags are here:
http://msdn.microsoft.com/en-us/library/aa772300%28VS.85%29.aspx
Just don't try using the Cannot Change Password flag, it won't do any good :)
You know, wouldn't it be better to check lastLogonTimeStamp? Should be 01/01/1601 00:00:00 (MS Epoch) for accounts that never logged in shouldn't it?
Chris
The program DumpSec, distributed by SomarSoft, Inc., provides reports on the contents of the SAM database.
This program is not a part of the basic Windows Server 2003 installation, and must be acquired separately. This program is also distributed under the name DumpACL.
This program is accessed through the following procedures:
Click on the Start button.
Select Run from the Start Menu.
In the Run dialog box, enter the explicit path of the DumpSec
application in the Open field.
Click on the OK button.
Upon completion, the DumpSec application should appear:
" Select Dump Users as Table from the Report menu.
" Select the available fields in the following sequence, and click on the Add button for each entry:
UserName
SID
PswdRequired
PswdExpires
PswdLastSetTime
LastLogonTime
AcctDisabled
Groups
" Click OK to proceed.
Note: When DumpSec is run on a domain controller, check the box for Show true last logon time (i.e. search all logon servers).
Next, compare the reports output with the following check procedures. Some user accounts may appear repetitively, because Groups is included in the report.
examining the time in the LastLogonTime column will help with dormant accounts
Or
The following commands can be used on Windows 2003 Active Directory if DumpSec cannot be run.
Open a Command Prompt
Enter Dsquery user inactive 5 o rdn (This command will only work if the Domain is at Windows Server 2003 functional level, not Windows 2000 Native.)
A list of User Accounts that have been inactive for five weeks will be displayed.
Disabled Accounts can be determined by using the following
Enter Dsquery user disabled o rdn
This program is not a part of the basic Windows Server 2003 installation, and must be acquired separately. This program is also distributed under the name DumpACL.
This program is accessed through the following procedures:
Click on the Start button.
Select Run from the Start Menu.
In the Run dialog box, enter the explicit path of the DumpSec
application in the Open field.
Click on the OK button.
Upon completion, the DumpSec application should appear:
" Select Dump Users as Table from the Report menu.
" Select the available fields in the following sequence, and click on the Add button for each entry:
UserName
SID
PswdRequired
PswdExpires
PswdLastSetTime
LastLogonTime
AcctDisabled
Groups
" Click OK to proceed.
Note: When DumpSec is run on a domain controller, check the box for Show true last logon time (i.e. search all logon servers).
Next, compare the reports output with the following check procedures. Some user accounts may appear repetitively, because Groups is included in the report.
examining the time in the LastLogonTime column will help with dormant accounts
Or
The following commands can be used on Windows 2003 Active Directory if DumpSec cannot be run.
Open a Command Prompt
Enter Dsquery user inactive 5 o rdn (This command will only work if the Domain is at Windows Server 2003 functional level, not Windows 2000 Native.)
A list of User Accounts that have been inactive for five weeks will be displayed.
Disabled Accounts can be determined by using the following
Enter Dsquery user disabled o rdn
Look at this thread - if your okay using Powershell
hXXp://www.vistax64.com/powershell/201888-script-determine-password-expire-date-send-email-notificati-3.html
hXXp://www.vistax64.com/powershell/201888-script-determine-password-expire-date-send-email-notificati-3.html
Personally I recommend these:
Accept: mkline71 (http:#26194413)
Assist: Chris-Dent (http:#26194882)
Author feedback would be good of course :)
Cheers,
Chris
Accept: mkline71 (http:#26194413)
Assist: Chris-Dent (http:#26194882)
Author feedback would be good of course :)
Cheers,
Chris
To the author, they are all decent answers it depends on the method you are trying to use
I should explain why I didn't include those in my recommendation above.
While DumpSec is a good suggestion the manner in which the suggestion was posted is, in my opinion, somewhat lacking. It is a copy and paste from this:
http://teams.umkc.edu/campus/Security/Shared%20Documents/Server%20Security%20Checklist/W2K3%20Checklist%20-%20Section%205.DOC
It doesn't explicitly contain a copyright notice, but it is not original work and should not have been posted without a link citing the source.
I know the final link well, it's a link to a thread on the Powershell newsgroup run by MS. It does contain a number of fine examples, but I feel it would be very hard to pick them out, especially starting at page 3 when I get involved with debugging the scripts.
Chris
While DumpSec is a good suggestion the manner in which the suggestion was posted is, in my opinion, somewhat lacking. It is a copy and paste from this:
http://teams.umkc.edu/campus/Security/Shared%20Documents/Server%20Security%20Checklist/W2K3%20Checklist%20-%20Section%205.DOC
It doesn't explicitly contain a copyright notice, but it is not original work and should not have been posted without a link citing the source.
I know the final link well, it's a link to a thread on the Powershell newsgroup run by MS. It does contain a number of fine examples, but I feel it would be very hard to pick them out, especially starting at page 3 when I get involved with debugging the scripts.
Chris
That is quite interesting since the text was paraphrased from a DoD document, I will investigate further. Thanks for the information.
Do you mean because of password age policy? Or because the box has been ticked? Or both?
Chris