NSEMonsanto
asked on
Active Directory Saved Query Expired Accounts
I am trying to set a query in the Active Directory Saved Queries, to display the Expired Users accounts.
So far the custom query I found was
(&(&(objectCategory=person )(objectCl ass=user)( !AccountEx pires=0)(! AccountExp ires=92233 7203685477 5807)))
But it provides all accounts with an expiration date set.
With a different sintax I have tried also the following:
(&(objectCategory=person)( objectClas s=user)" _ & "(!accountExpires=92233720 3685477580 7)(!accoun tExpires=0 ))
and it gives no result, even knowing that there are expired accounts.
Any better query?
I am not looking for Shell scripts.
Thanks.
So far the custom query I found was
(&(&(objectCategory=person
But it provides all accounts with an expiration date set.
With a different sintax I have tried also the following:
(&(objectCategory=person)(
and it gives no result, even knowing that there are expired accounts.
Any better query?
I am not looking for Shell scripts.
Thanks.
ASKER
Thanks, however it is like the first query I posted, and shows all users with expiring accounts set (too comprehensive), not expired ones.
try:
(&(objectCategory=person)(objectClass=user)(accountExpires<=128635956000000000)(!accountExpires=0))
ASKER
Same same: no results.
even changing the operators <=> it doesn't make a difference: no users.
Your query makes more sense so far, it looks for accounts that have expired up to date.
However it looks like there should be a sharper definition I cannot get my head around.
even changing the operators <=> it doesn't make a difference: no users.
Your query makes more sense so far, it looks for accounts that have expired up to date.
However it looks like there should be a sharper definition I cannot get my head around.
So not willing to use adfind or powershell...do you only want a saved query?
ASKER
Thanks for the effort.
You got it right, I'd like to use the saved query.
C.
You got it right, I'd like to use the saved query.
C.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Theoretically the following answers your question, but it seems not to always work
(objectcategory=user)(user AccountCon trol:1.2.8 40.113556. 1.4.803:=8 388608 )
Try this query to find users who must change password on next login:
(objectCategory=user)(pwdL astSet=0)
Users whose password never expires
(objectcategory=user)(user AccountCon trol:1.2.8 40.113556. 1.4.803:=6 5536)
http://www.selfadsi.org/ads-attributes/user-userAccountControl.htm
(objectcategory=user)(user
Try this query to find users who must change password on next login:
(objectCategory=user)(pwdL
Users whose password never expires
(objectcategory=user)(user
http://www.selfadsi.org/ads-attributes/user-userAccountControl.htm
8388608 is password expired, not account expired (http://support.microsoft.com/kb/305144). As such, it won't work for accounts that have expired anyway.
Chris
Chris
ASKER
Thanks Chris.
Your explanation is sound, and makes a whole lot of sense.
I will then just find the way to translate time into 100ths of seconds.
Cheers,
C.
Your explanation is sound, and makes a whole lot of sense.
I will then just find the way to translate time into 100ths of seconds.
Cheers,
C.
Open in new window
from http://www.rlmueller.net/AccountExpires.htmi tried run it using DSQUERY on command line and it worked great.