Solved

Powershell: Search for Users with "PasswordNeverExpires"

Posted on 2013-01-23
9
960 Views
Last Modified: 2013-04-16
Could someone please help - I need a Powershell script to search users in AD with password set to never expire.

Both our DC's are running Server 2003 - and Active Directory Web Services isn't running so Get-ADUser cmdlet won't work.

I would prefer not to use 3rd party cmdlets either, unless I have to.

Thanks,

A.
0
Comment
Question by:Angeal
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
  • +1
9 Comments
 
LVL 18

Expert Comment

by:Sarang Tinguria
ID: 38811041
Chris has a great GUI tool You may install this on any member Machine and use via any admin/non-admin account

Cjwdev | AD Info - Active Directory Reporting www.cjwdev.co.uk/Software/ADReportingTool/Info.html
0
 
LVL 40

Assisted Solution

by:Subsun
Subsun earned 400 total points
ID: 38811783
If you are using quest ad cmdlets, then it's a single line command..
http://www.quest.com/powershell/activeroles-server.aspx
Get-QADUser -PasswordNeverExpires | Export-Csv C:\report.csv -NoTypeInformation

Open in new window

Else you can use this script to export the users accounts which has password set to never expire...
$domain = [ADSI]"LDAP://DC=test,DC=com"
$Ad = new-object directoryservices.directorysearcher
$Ad.searchroot = $domain
$Ad.filter = "(&(objectCategory=User)(userAccountControl:1.2.840.113556.1.4.803:=65536))"
$Users = $Ad.findall()
$Users | % {New-Object PSObject -Property @{
Name = $($_.Properties.name)
sn = $($_.Properties.sn)
givenname = $($_.Properties.givenname)
mail = $($_.Properties.mail)
samaccountname = $($_.Properties.samaccountname)
displayname = $($_.Properties.displayname)
 }
} | Export-Csv C:\report.csv -NoTypeInformation

Open in new window

0
 

Author Comment

by:Angeal
ID: 38812932
Hi Subsun,

Worked like a charm. I used the second script. Is there a way to filter out accounts that are disabled? (sorry, I should have asked this beforehand) So find all accounts that don't expire, and aren't disabled.

Thanks for your help! I really appreciate it.

A.
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 5

Assisted Solution

by:coraxal
coraxal earned 100 total points
ID: 38813089
Change this line:

$Ad.filter = "(&(objectCategory=User)(userAccountControl:1.2.840.113556.1.4.803:=65536))"

Open in new window


To this:

$Ad.filter = "(&(objectCategory=User)(userAccountControl:1.2.840.113556.1.4.803:=65536)(!userAccountControl:1.2.840.113556.1.4.803:=2))"

Open in new window

0
 
LVL 40

Accepted Solution

by:
Subsun earned 400 total points
ID: 38813524
The filter provided by coraxal will give you the disabled users with password set to never expire.
If you want to get all users who are set to password never expire with the status of account, then you can use following code..
I have added a custom attribute 'Status' which will show the status of account..
[ADSI]"LDAP://DC=test,DC=com"
$Ad = new-object directoryservices.directorysearcher
$Ad.searchroot = $domain
$Ad.filter = "(&(objectCategory=User)(userAccountControl:1.2.840.113556.1.4.803:=65536))"
$Users = $Ad.findall()
$Users | % {New-Object PSObject -Property @{
Name = $($_.Properties.name)
sn = $($_.Properties.sn)
givenname = $($_.Properties.givenname)
mail = $($_.Properties.mail)
samaccountname = $($_.Properties.samaccountname)
displayname = $($_.Properties.displayname)
Status = $(IF (($($_.properties.useraccountcontrol) -band 2) -ne 2) {Write "Enabled"} Else {Write "Disabled"})
 }
} | Export-Csv C:\report.csv -NoTypeInformation

Open in new window

0
 
LVL 5

Expert Comment

by:coraxal
ID: 38813545
@Subsun...should return enabled accounts with password set to never expire, correct? Notice the "!" preceding the userAccountControl attribute.
0
 
LVL 40

Expert Comment

by:Subsun
ID: 38813725
Yea right.. I didn't notice the Not!.. :-) .. Again I didn't mean to say your filter is wrong.. Just to want to mention it will exclude the disabled users from list, so if Angeal want both disabled and enabled users with password never expire then he can use my modified code..
0
 

Author Closing Comment

by:Angeal
ID: 38813994
2 great solution to one problem - thanks guys!
0
 
LVL 5

Expert Comment

by:coraxal
ID: 38815518
@Subsun....phewww...thought I was thinking of the filter the wrong way =)  great script btw
0

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently we ran in to an issue while running some SQL jobs where we were trying to process the cubes.  We got an error saying failure stating 'NT SERVICE\SQLSERVERAGENT does not have access to Analysis Services. So this is a way to automate that wit…
This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses

624 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question