Solved

ad report non-expiring accounts

Posted on 2013-12-19
6
233 Views
Last Modified: 2014-01-02
I need an AD report ideally using a free tool/command line tool to list all AD users who are exempt from password expiry including the fields

username, password last set date, status (i.e. disabled/enabled).

Please provide recommendations on the tool and the appropriate syntax.
0
Comment
Question by:pma111
6 Comments
 
LVL 3

Author Comment

by:pma111
ID: 39728868
can it be done in adfind? http://www.joeware.net/freetools/
0
 
LVL 19

Accepted Solution

by:
helpfinder earned 500 total points
ID: 39728897
without need to install anything special you can use AD Users and computers and create query here - non-expiring passwords
you will get list of users with password set to never expires and their names, also you can see if it is disabled or not (or you can do a similar query for disabled accounts)
You wont see last changed password in the table but in each user attribute properties you should be able to see also this.
If this is not sufficient for you I guess you can achieve this using PowerShell

sample
0
 
LVL 3

Author Comment

by:pma111
ID: 39728910
in add/remove columns, which column will show "account status". I couldnt see anything obvious. In fact I have added all columns and I cant see which are disabled/enabled. I cant check them all manually as there are >1000 accounts.
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 3

Expert Comment

by:Detlef001
ID: 39728948
Please have a look at this application. Its freeware but up to some limitation on the number of users.

Hope it helps.

Thanks.
0
 
LVL 3

Author Comment

by:pma111
ID: 39728956
The first solution worked if I ticked both options, but ideally I wanted a single report, i.e all non expiring accounts, and then their status (i.e. enabled/disabled), rather than 2 reports for the 2 different criteria, but maybe I can merge them in some other software like access.
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 39729033
You can accomplish this using the Native powershell commands. See below...

Import-module activedirectory
Get-ADUser -Filter * -Properties * | ? {$_.PasswordNeverExpires -eq "true"} | select name, samaccountname, PasswordNeverExpires, Enabled

Open in new window


Will.
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Join & Write a Comment

My last post dealt with using group policy preferences to set file associations, a very handy usage for a GPP. Today I am going to share another cool GPP trick, this may be a specific scenario but I run into these situations frequently in my activit…
As network administrators; we know how hard it is to track user’s login/logout using security event log (BTW it is harder now in windows 2008 because user name is always “N/A” in the grid), and most of us either get 3rd party tools, or just make our…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now