Solved

Powershell: Search for Users with "PasswordNeverExpires"

Posted on 2013-01-23
9
940 Views
Last Modified: 2013-04-16
Could someone please help - I need a Powershell script to search users in AD with password set to never expire.

Both our DC's are running Server 2003 - and Active Directory Web Services isn't running so Get-ADUser cmdlet won't work.

I would prefer not to use 3rd party cmdlets either, unless I have to.

Thanks,

A.
0
Comment
Question by:Angeal
  • 3
  • 3
  • 2
  • +1
9 Comments
 
LVL 18

Expert Comment

by:Sarang Tinguria
ID: 38811041
Chris has a great GUI tool You may install this on any member Machine and use via any admin/non-admin account

Cjwdev | AD Info - Active Directory Reporting www.cjwdev.co.uk/Software/ADReportingTool/Info.html
0
 
LVL 40

Assisted Solution

by:Subsun
Subsun earned 400 total points
ID: 38811783
If you are using quest ad cmdlets, then it's a single line command..
http://www.quest.com/powershell/activeroles-server.aspx
Get-QADUser -PasswordNeverExpires | Export-Csv C:\report.csv -NoTypeInformation

Open in new window

Else you can use this script to export the users accounts which has password set to never expire...
$domain = [ADSI]"LDAP://DC=test,DC=com"
$Ad = new-object directoryservices.directorysearcher
$Ad.searchroot = $domain
$Ad.filter = "(&(objectCategory=User)(userAccountControl:1.2.840.113556.1.4.803:=65536))"
$Users = $Ad.findall()
$Users | % {New-Object PSObject -Property @{
Name = $($_.Properties.name)
sn = $($_.Properties.sn)
givenname = $($_.Properties.givenname)
mail = $($_.Properties.mail)
samaccountname = $($_.Properties.samaccountname)
displayname = $($_.Properties.displayname)
 }
} | Export-Csv C:\report.csv -NoTypeInformation

Open in new window

0
 

Author Comment

by:Angeal
ID: 38812932
Hi Subsun,

Worked like a charm. I used the second script. Is there a way to filter out accounts that are disabled? (sorry, I should have asked this beforehand) So find all accounts that don't expire, and aren't disabled.

Thanks for your help! I really appreciate it.

A.
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LVL 5

Assisted Solution

by:coraxal
coraxal earned 100 total points
ID: 38813089
Change this line:

$Ad.filter = "(&(objectCategory=User)(userAccountControl:1.2.840.113556.1.4.803:=65536))"

Open in new window


To this:

$Ad.filter = "(&(objectCategory=User)(userAccountControl:1.2.840.113556.1.4.803:=65536)(!userAccountControl:1.2.840.113556.1.4.803:=2))"

Open in new window

0
 
LVL 40

Accepted Solution

by:
Subsun earned 400 total points
ID: 38813524
The filter provided by coraxal will give you the disabled users with password set to never expire.
If you want to get all users who are set to password never expire with the status of account, then you can use following code..
I have added a custom attribute 'Status' which will show the status of account..
[ADSI]"LDAP://DC=test,DC=com"
$Ad = new-object directoryservices.directorysearcher
$Ad.searchroot = $domain
$Ad.filter = "(&(objectCategory=User)(userAccountControl:1.2.840.113556.1.4.803:=65536))"
$Users = $Ad.findall()
$Users | % {New-Object PSObject -Property @{
Name = $($_.Properties.name)
sn = $($_.Properties.sn)
givenname = $($_.Properties.givenname)
mail = $($_.Properties.mail)
samaccountname = $($_.Properties.samaccountname)
displayname = $($_.Properties.displayname)
Status = $(IF (($($_.properties.useraccountcontrol) -band 2) -ne 2) {Write "Enabled"} Else {Write "Disabled"})
 }
} | Export-Csv C:\report.csv -NoTypeInformation

Open in new window

0
 
LVL 5

Expert Comment

by:coraxal
ID: 38813545
@Subsun...should return enabled accounts with password set to never expire, correct? Notice the "!" preceding the userAccountControl attribute.
0
 
LVL 40

Expert Comment

by:Subsun
ID: 38813725
Yea right.. I didn't notice the Not!.. :-) .. Again I didn't mean to say your filter is wrong.. Just to want to mention it will exclude the disabled users from list, so if Angeal want both disabled and enabled users with password never expire then he can use my modified code..
0
 

Author Closing Comment

by:Angeal
ID: 38813994
2 great solution to one problem - thanks guys!
0
 
LVL 5

Expert Comment

by:coraxal
ID: 38815518
@Subsun....phewww...thought I was thinking of the filter the wrong way =)  great script btw
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In-place Upgrading Dirsync to Azure AD Connect
Previously, on our Nano Server Deployment series, we've created a new nano server image and deployed it on a physical server in part 2. Now we will go through configuration.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question