Re: Searching for expired by date accounts in AD
- From: Craig Taylor <craig.taylor@xxxxxxxxxxxxxxxxxxx>
- Date: Mon, 27 Feb 2006 17:28:23 +0000
Great thanks for the info
On 27/2/06 5:14 pm, in article u10Z1E8OGHA.3100@xxxxxxxxxxxxxxxxxxxx,
"Richard Mueller" <rlmueller-NOSPAM@xxxxxxxxxxxxxxxxxxxx> wrote:
Craig Taylor wrote:
I need to put together a script to search for all expired user accounts
(not
expired passwords but expired by date expired) in Active Directory. I then
need to change their status to disabled. Anyone point me in the right
direction, don't know how to search on the expired date?
You can use ADO to search on the accountExpires attribute. However, this
attribute is Integer8, a 64-bit number representing the date as the number
of 100-nanosecond intervals since 12:00 AM 1/1/1601. Some tips on using ADO,
including filters for Integer8 values here:
http://www.rlmueller.net/ADOSearchTips.htm
You will need to convert the current date/time to a 64-bit Integer8 value,
then filter on users with accountExpires less than that value (but not zero,
which means the account has never had an expiration date). An example that
lists expired accounts follows. You will need to bind to each expired user
object to disable the account.
========================
Option Explicit
Dim dtmAdjusted, lngSeconds, str64Bit
Dim objShell, lngBiasKey, lngBias, k
Dim objRootDSE, strDNSDomain, objConnection, objRecordset
Dim strBase, strFilter, strAttributes, strQuery, strDN
' Obtain local Time Zone bias from machine registry.
Set objShell = CreateObject("Wscript.Shell")
lngBiasKey = objShell.RegRead("HKLM\System\CurrentControlSet\Control\" _
& "TimeZoneInformation\ActiveTimeBias")
If UCase(TypeName(lngBiasKey)) = "LONG" Then
lngBias = lngBiasKey
ElseIf UCase(TypeName(lngBiasKey)) = "VARIANT()" Then
lngBias = 0
For k = 0 To UBound(lngBiasKey)
lngBias = lngBias + (lngBiasKey(k) * 256^k)
Next
End If
' Convert current date/time value to UTC.
dtmAdjusted = DateAdd("n", lngBias, Now)
' Find number of seconds since 1/1/1601.
lngSeconds = DateDiff("s", #1/1/1601#, dtmAdjusted)
' Convert the number of seconds to a string
' and convert to 100-nanosecond intervals.
str64Bit = CStr(lngSeconds) & "0000000"
' Determine DNS domain name.
Set objRootDSE = GetObject("LDAP://RootDSE";)
strDNSDomain = objRootDSE.Get("defaultNamingContext")
' Use ADO to search Active Directory.
Set objConnection = CreateObject("ADODB.Connection")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objRecordset = CreateObject("ADODB.Recordset")
objRecordset.ActiveConnection = objConnection
' Search entire domain.
strBase = "<LDAP://"; & strDNSDomain & ">"
' Filter on expired user accounts.
strFilter = "(&(objectCategory=person)(objectClass=user)" _
& "(accountExpires<=" & str64Bit & ")(!accountExpires=0))"
' Retrieve Distinguished Names.
strAttributes = "distinguishedName"
' Use ADO to query AD.
strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"
objRecordset.Source = strQuery
objRecordset.Open
' Enumerate expired user accounts.
Do Until objRecordSet.EOF
strDN = objRecordSet.Fields("distinguishedName")
Wscript.Echo strDN
objRecordSet.MoveNext
Loop
' Clean up.
objRecordset.Close
objConnection.Close
Set objRootDSE = Nothing
Set objConnection = Nothing
Set objRecordSet = Nothing
.
- References:
- Searching for expired by date accounts in AD
- From: Craig Taylor
- Re: Searching for expired by date accounts in AD
- From: Richard Mueller
- Searching for expired by date accounts in AD
- Prev by Date: Re: Searching for expired by date accounts in AD
- Next by Date: usernames
- Previous by thread: Re: Searching for expired by date accounts in AD
- Next by thread: Re: Searching for expired by date accounts in AD
- Index(es):
Relevant Pages
|
