Solved

VBScript:  PW Set to Never Expire

Posted on 2011-03-10
1
357 Views
Last Modified: 2012-08-14
Hi Experts,

    I'm trying to pull all  ACTIVE accounts that start with "NPS" that are set to "NEVER EXPIRE" in Active Directory.  The search would be based off their UPN prefix. i.e. "NPS0123456"

Logic:

1.)  Pull all active accounts where their UPN prefix begins with "NPS" Example filter to use in Script:

(&(objectCategory=person)(objectClass=user)(userPrincipalName=NPS*)(!(userAccountControl:1.2.840.113556.1.4.803:=2)));adsPath,userPrincipalName;Subtree"

2.)  Pull all active NPS accounts that are set to "NEVER EXPIRE"

3.)  Produce and output report i.e. CSV with these finds.

    Any help you can provide is GREATLY APPRECIATED.

Thanks!
0
Comment
Question by:itsmevic
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 76

Accepted Solution

by:
David Lee earned 500 total points
ID: 35098174
Hi, itsmevic.

This should do it.
Const ADS_UF_SCRIPT = 1
Const ADS_UF_ACCOUNTDISABLE = 2
Const ADS_UF_HOMEDIR_REQUIRED = 8
Const ADS_UF_LOCKOUT = 16
Const ADS_UF_PASSWD_NOTREQD = 32
Const ADS_UF_PASSWD_CANT_CHANGE = 64
Const ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED = 128
Const ADS_UF_TEMP_DUPLICATE_ACCOUNT = 256
Const ADS_UF_NORMAL_ACCOUNT = 512
Const ADS_UF_INTERDOMAIN_TRUST_ACCOUNT = 2048
Const ADS_UF_WORKSTATION_TRUST_ACCOUNT = 4096
Const ADS_UF_SERVER_TRUST_ACCOUNT = 8192
Const ADS_UF_DONT_EXPIRE_PASSWD = 65536
Const ADS_UF_MNS_LOGON_ACCOUNT = 131072
Const ADS_UF_SMARTCARD_REQUIRED = 262144
Const ADS_UF_TRUSTED_FOR_DELEGATION = 524288
Const ADS_UF_NOT_DELEGATED = 1048576
Const ADS_UF_USE_DES_KEY_ONLY = 2097152
Const ADS_UF_DONT_REQUIRE_PREAUTH = 4194304
Const ADS_UF_PASSWORD_EXPIRED = 8388608
Const ADS_UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION = 16777216


Dim adoCmd, adoCon, adoRS, objUser, objFSO, objFil

Set objFSO = CreateObject("Scripting.fileSystemObject")
Set objFil = objFSO.CreateTextFile("C:\Non-expiring Accounts.csv",True)

Set adoCon = CreateObject("ADODB.Connection")
adoCon.Provider = "ADsDSOObject"
adoCon.CursorLocation = 3
adoCon.Open "ADSI"
Set adoCmd = CreateObject("ADODB.Command")
adoCmd.ActiveConnection = adoCon
'On the next line enter your domain name in place of company.com'
adoCmd.CommandText = "SELECT userPrincipalName,userAccountControl,ADsPath FROM 'LDAP://company.com' WHERE objectClass='user' AND objectCategory='Person' ORDER BY userPrincipalName"
adoCmd.Properties("Size Limit") = 5000
adoCmd.Properties("Page Size") = 100
adoCmd.Properties("Timeout") = 30
adoCmd.Properties("Cache Results") = False
Set adoRS = adoCmd.Execute()

Do Until adoRS.EOF
	Set objUser = GetObject(adoRS.Fields("ADsPath"))
	If Left(adoRS.Fields("userPrincipalName").Value,3) = "NPS" Then
		If (adoRS.Fields("userAccountControl") And ADS_UF_DONT_EXPIRE_PASSWD) Then
			objFil.WriteLine adoRS.Fields("userPrincipalName").Value
		End If
	End If
	adoRS.MoveNext
Loop
objFil.Close
Set objFil = Nothing
Set objFSO = Nothing
adoRS.Close
Set adoRS = Nothing
adoCon.Close
Set adoCon = Nothing
Set adoCmd = Nothing

Open in new window

0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question