Solved

VBScript:  PW Set to Never Expire

Posted on 2011-03-10
1
360 Views
Last Modified: 2012-08-14
Hi Experts,

    I'm trying to pull all  ACTIVE accounts that start with "NPS" that are set to "NEVER EXPIRE" in Active Directory.  The search would be based off their UPN prefix. i.e. "NPS0123456"

Logic:

1.)  Pull all active accounts where their UPN prefix begins with "NPS" Example filter to use in Script:

(&(objectCategory=person)(objectClass=user)(userPrincipalName=NPS*)(!(userAccountControl:1.2.840.113556.1.4.803:=2)));adsPath,userPrincipalName;Subtree"

2.)  Pull all active NPS accounts that are set to "NEVER EXPIRE"

3.)  Produce and output report i.e. CSV with these finds.

    Any help you can provide is GREATLY APPRECIATED.

Thanks!
0
Comment
Question by:itsmevic
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 76

Accepted Solution

by:
David Lee earned 500 total points
ID: 35098174
Hi, itsmevic.

This should do it.
Const ADS_UF_SCRIPT = 1
Const ADS_UF_ACCOUNTDISABLE = 2
Const ADS_UF_HOMEDIR_REQUIRED = 8
Const ADS_UF_LOCKOUT = 16
Const ADS_UF_PASSWD_NOTREQD = 32
Const ADS_UF_PASSWD_CANT_CHANGE = 64
Const ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED = 128
Const ADS_UF_TEMP_DUPLICATE_ACCOUNT = 256
Const ADS_UF_NORMAL_ACCOUNT = 512
Const ADS_UF_INTERDOMAIN_TRUST_ACCOUNT = 2048
Const ADS_UF_WORKSTATION_TRUST_ACCOUNT = 4096
Const ADS_UF_SERVER_TRUST_ACCOUNT = 8192
Const ADS_UF_DONT_EXPIRE_PASSWD = 65536
Const ADS_UF_MNS_LOGON_ACCOUNT = 131072
Const ADS_UF_SMARTCARD_REQUIRED = 262144
Const ADS_UF_TRUSTED_FOR_DELEGATION = 524288
Const ADS_UF_NOT_DELEGATED = 1048576
Const ADS_UF_USE_DES_KEY_ONLY = 2097152
Const ADS_UF_DONT_REQUIRE_PREAUTH = 4194304
Const ADS_UF_PASSWORD_EXPIRED = 8388608
Const ADS_UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION = 16777216


Dim adoCmd, adoCon, adoRS, objUser, objFSO, objFil

Set objFSO = CreateObject("Scripting.fileSystemObject")
Set objFil = objFSO.CreateTextFile("C:\Non-expiring Accounts.csv",True)

Set adoCon = CreateObject("ADODB.Connection")
adoCon.Provider = "ADsDSOObject"
adoCon.CursorLocation = 3
adoCon.Open "ADSI"
Set adoCmd = CreateObject("ADODB.Command")
adoCmd.ActiveConnection = adoCon
'On the next line enter your domain name in place of company.com'
adoCmd.CommandText = "SELECT userPrincipalName,userAccountControl,ADsPath FROM 'LDAP://company.com' WHERE objectClass='user' AND objectCategory='Person' ORDER BY userPrincipalName"
adoCmd.Properties("Size Limit") = 5000
adoCmd.Properties("Page Size") = 100
adoCmd.Properties("Timeout") = 30
adoCmd.Properties("Cache Results") = False
Set adoRS = adoCmd.Execute()

Do Until adoRS.EOF
	Set objUser = GetObject(adoRS.Fields("ADsPath"))
	If Left(adoRS.Fields("userPrincipalName").Value,3) = "NPS" Then
		If (adoRS.Fields("userAccountControl") And ADS_UF_DONT_EXPIRE_PASSWD) Then
			objFil.WriteLine adoRS.Fields("userPrincipalName").Value
		End If
	End If
	adoRS.MoveNext
Loop
objFil.Close
Set objFil = Nothing
Set objFSO = Nothing
adoRS.Close
Set adoRS = Nothing
adoCon.Close
Set adoCon = Nothing
Set adoCmd = Nothing

Open in new window

0

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

631 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question