Solved

Powershell: Search for Users with "PasswordNeverExpires"

Posted on 2013-01-23
9
933 Views
Last Modified: 2013-04-16
Could someone please help - I need a Powershell script to search users in AD with password set to never expire.

Both our DC's are running Server 2003 - and Active Directory Web Services isn't running so Get-ADUser cmdlet won't work.

I would prefer not to use 3rd party cmdlets either, unless I have to.

Thanks,

A.
0
Comment
Question by:Angeal
  • 3
  • 3
  • 2
  • +1
9 Comments
 
LVL 18

Expert Comment

by:Sarang Tinguria
ID: 38811041
Chris has a great GUI tool You may install this on any member Machine and use via any admin/non-admin account

Cjwdev | AD Info - Active Directory Reporting www.cjwdev.co.uk/Software/ADReportingTool/Info.html
0
 
LVL 40

Assisted Solution

by:Subsun
Subsun earned 400 total points
ID: 38811783
If you are using quest ad cmdlets, then it's a single line command..
http://www.quest.com/powershell/activeroles-server.aspx
Get-QADUser -PasswordNeverExpires | Export-Csv C:\report.csv -NoTypeInformation

Open in new window

Else you can use this script to export the users accounts which has password set to never expire...
$domain = [ADSI]"LDAP://DC=test,DC=com"
$Ad = new-object directoryservices.directorysearcher
$Ad.searchroot = $domain
$Ad.filter = "(&(objectCategory=User)(userAccountControl:1.2.840.113556.1.4.803:=65536))"
$Users = $Ad.findall()
$Users | % {New-Object PSObject -Property @{
Name = $($_.Properties.name)
sn = $($_.Properties.sn)
givenname = $($_.Properties.givenname)
mail = $($_.Properties.mail)
samaccountname = $($_.Properties.samaccountname)
displayname = $($_.Properties.displayname)
 }
} | Export-Csv C:\report.csv -NoTypeInformation

Open in new window

0
 

Author Comment

by:Angeal
ID: 38812932
Hi Subsun,

Worked like a charm. I used the second script. Is there a way to filter out accounts that are disabled? (sorry, I should have asked this beforehand) So find all accounts that don't expire, and aren't disabled.

Thanks for your help! I really appreciate it.

A.
0
VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

 
LVL 5

Assisted Solution

by:coraxal
coraxal earned 100 total points
ID: 38813089
Change this line:

$Ad.filter = "(&(objectCategory=User)(userAccountControl:1.2.840.113556.1.4.803:=65536))"

Open in new window


To this:

$Ad.filter = "(&(objectCategory=User)(userAccountControl:1.2.840.113556.1.4.803:=65536)(!userAccountControl:1.2.840.113556.1.4.803:=2))"

Open in new window

0
 
LVL 40

Accepted Solution

by:
Subsun earned 400 total points
ID: 38813524
The filter provided by coraxal will give you the disabled users with password set to never expire.
If you want to get all users who are set to password never expire with the status of account, then you can use following code..
I have added a custom attribute 'Status' which will show the status of account..
[ADSI]"LDAP://DC=test,DC=com"
$Ad = new-object directoryservices.directorysearcher
$Ad.searchroot = $domain
$Ad.filter = "(&(objectCategory=User)(userAccountControl:1.2.840.113556.1.4.803:=65536))"
$Users = $Ad.findall()
$Users | % {New-Object PSObject -Property @{
Name = $($_.Properties.name)
sn = $($_.Properties.sn)
givenname = $($_.Properties.givenname)
mail = $($_.Properties.mail)
samaccountname = $($_.Properties.samaccountname)
displayname = $($_.Properties.displayname)
Status = $(IF (($($_.properties.useraccountcontrol) -band 2) -ne 2) {Write "Enabled"} Else {Write "Disabled"})
 }
} | Export-Csv C:\report.csv -NoTypeInformation

Open in new window

0
 
LVL 5

Expert Comment

by:coraxal
ID: 38813545
@Subsun...should return enabled accounts with password set to never expire, correct? Notice the "!" preceding the userAccountControl attribute.
0
 
LVL 40

Expert Comment

by:Subsun
ID: 38813725
Yea right.. I didn't notice the Not!.. :-) .. Again I didn't mean to say your filter is wrong.. Just to want to mention it will exclude the disabled users from list, so if Angeal want both disabled and enabled users with password never expire then he can use my modified code..
0
 

Author Closing Comment

by:Angeal
ID: 38813994
2 great solution to one problem - thanks guys!
0
 
LVL 5

Expert Comment

by:coraxal
ID: 38815518
@Subsun....phewww...thought I was thinking of the filter the wrong way =)  great script btw
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The following article is intended as a guide to using PowerShell as a more versatile and reliable form of application detection in SCCM.
This article outlines the process to identify and resolve account lockout in an Active Directory environment.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question