Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 998
  • Last Modified:

Powershell: Search for Users with "PasswordNeverExpires"

Could someone please help - I need a Powershell script to search users in AD with password set to never expire.

Both our DC's are running Server 2003 - and Active Directory Web Services isn't running so Get-ADUser cmdlet won't work.

I would prefer not to use 3rd party cmdlets either, unless I have to.

Thanks,

A.
0
Angeal
Asked:
Angeal
  • 3
  • 3
  • 2
  • +1
3 Solutions
 
Sarang TinguriaSr EngineerCommented:
Chris has a great GUI tool You may install this on any member Machine and use via any admin/non-admin account

Cjwdev | AD Info - Active Directory Reporting www.cjwdev.co.uk/Software/ADReportingTool/Info.html
0
 
SubsunCommented:
If you are using quest ad cmdlets, then it's a single line command..
http://www.quest.com/powershell/activeroles-server.aspx
Get-QADUser -PasswordNeverExpires | Export-Csv C:\report.csv -NoTypeInformation

Open in new window

Else you can use this script to export the users accounts which has password set to never expire...
$domain = [ADSI]"LDAP://DC=test,DC=com"
$Ad = new-object directoryservices.directorysearcher
$Ad.searchroot = $domain
$Ad.filter = "(&(objectCategory=User)(userAccountControl:1.2.840.113556.1.4.803:=65536))"
$Users = $Ad.findall()
$Users | % {New-Object PSObject -Property @{
Name = $($_.Properties.name)
sn = $($_.Properties.sn)
givenname = $($_.Properties.givenname)
mail = $($_.Properties.mail)
samaccountname = $($_.Properties.samaccountname)
displayname = $($_.Properties.displayname)
 }
} | Export-Csv C:\report.csv -NoTypeInformation

Open in new window

0
 
AngealAuthor Commented:
Hi Subsun,

Worked like a charm. I used the second script. Is there a way to filter out accounts that are disabled? (sorry, I should have asked this beforehand) So find all accounts that don't expire, and aren't disabled.

Thanks for your help! I really appreciate it.

A.
0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
coraxalCommented:
Change this line:

$Ad.filter = "(&(objectCategory=User)(userAccountControl:1.2.840.113556.1.4.803:=65536))"

Open in new window


To this:

$Ad.filter = "(&(objectCategory=User)(userAccountControl:1.2.840.113556.1.4.803:=65536)(!userAccountControl:1.2.840.113556.1.4.803:=2))"

Open in new window

0
 
SubsunCommented:
The filter provided by coraxal will give you the disabled users with password set to never expire.
If you want to get all users who are set to password never expire with the status of account, then you can use following code..
I have added a custom attribute 'Status' which will show the status of account..
[ADSI]"LDAP://DC=test,DC=com"
$Ad = new-object directoryservices.directorysearcher
$Ad.searchroot = $domain
$Ad.filter = "(&(objectCategory=User)(userAccountControl:1.2.840.113556.1.4.803:=65536))"
$Users = $Ad.findall()
$Users | % {New-Object PSObject -Property @{
Name = $($_.Properties.name)
sn = $($_.Properties.sn)
givenname = $($_.Properties.givenname)
mail = $($_.Properties.mail)
samaccountname = $($_.Properties.samaccountname)
displayname = $($_.Properties.displayname)
Status = $(IF (($($_.properties.useraccountcontrol) -band 2) -ne 2) {Write "Enabled"} Else {Write "Disabled"})
 }
} | Export-Csv C:\report.csv -NoTypeInformation

Open in new window

0
 
coraxalCommented:
@Subsun...should return enabled accounts with password set to never expire, correct? Notice the "!" preceding the userAccountControl attribute.
0
 
SubsunCommented:
Yea right.. I didn't notice the Not!.. :-) .. Again I didn't mean to say your filter is wrong.. Just to want to mention it will exclude the disabled users from list, so if Angeal want both disabled and enabled users with password never expire then he can use my modified code..
0
 
AngealAuthor Commented:
2 great solution to one problem - thanks guys!
0
 
coraxalCommented:
@Subsun....phewww...thought I was thinking of the filter the wrong way =)  great script btw
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Get 10% Off Your First Squarespace Website

Ready to showcase your work, publish content or promote your business online? With Squarespace’s award-winning templates and 24/7 customer service, getting started is simple. Head to Squarespace.com and use offer code ‘EXPERTS’ to get 10% off your first purchase.

  • 3
  • 3
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now