Re: Script to find user accounts where "Password never Expires"

Tech-Archive recommends: Fix windows errors by optimizing your registry

From: Richard Mueller [MVP] (rlmueller-NOSPAM_at_ameritech.NOSPAM.net)
Date: 03/31/04 

Date: Wed, 31 Mar 2004 16:14:01 -0600

Richard Rekos wrote:

> Using the following script, I can determine if a single user has "password
never expires" enabled or not. Does anyone have a script that can do this
for ALL users in a particular OU? Thanks in advance!
>
> Const ADS_UF_DONT_EXPIRE_PASSWD = &h10000
> Set objUser = GetObject("LDAP://CN=rich,OU=us,DC=xyz,DC=com")
> intUserAccountControl = objUser.Get("userAccountControl")
> If intUserAccountControl And ADS_UF_DONT_EXPIRE_PASSWD Then
> WScript.Echo "The password does not expire."
> WScript.Quit
> Else
> WScript.Echo "The password expires."
> End If
>
Hi,

Two ways to tackle this. First, you can bind to the OU, filter on user
objects, then enumerate the users. Note that this will only handle users
that are actually in the OU, not those in sub OU's (unless you code a
recursive subroutine). For example:

Const ADS_UF_DONT_EXPIRE_PASSWD = &H10000

Set objOU = GetObject("LDAP://ou=us,dc=xyz,dc=com")
objOU.Filter = Array("user")
For Each objUser In objOU
  intUserAccountControl = objUesr.Get("userAccountControl")
  If (intUserAccountControl And ADS_UF_DONT_EXPIRE_PASSWD) <> 0 Then
    Wscript.Echo "Password never expires for user " & objUser.sAMAccountName
  Else
    Wscript.Echo "Password expires for user " & objUser.sAMAccountName
  End If
Next

A more powerful method is to use ADO. You can retrieve just the users whose
password never expires. The code below will find all users whose password
does not expire in the OU and in any sub OU's:

Option Explicit

Dim objCommand, objConnection
Dim strBase, strFilter, strAttributes, strQuery, objRecordSet
Dim strNTName

' Use ADO to search Active Directory.
Set objCommand = CreateObject("ADODB.Command")
Set objConnection = CreateObject("ADODB.Connection")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
objCommand.ActiveConnection = objConnection

' Specify base of search (starting point).
strBase = "<LDAP://ou=us,dc=xyz,dc=com>"

' Filter on users with ADS_UF_EXPIRE_PASSWD bit of userAccountControl set.
strFilter = "(&(objectCategory=person)(objectClass=user)" _
  & "(userAccountControl:1.2.840.113556.1.4.803:=65536))"

' Retrieve sAMAccount attribute (comma delimited list of attributes).
strAttributes = "sAMAccountName"

strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"
objCommand.CommandText = strQuery
objCommand.Properties("Page Size") = 100
objCommand.Properties("Timeout") = 30
objCommand.Properties("Cache Results") = False
Set objRecordSet = objCommand.Execute

' Enumerate results found.
Do Until objRecordSet.EOF
  strNTName = objRecordSet.Fields("sAMAccountName")
  Wscript.Echo strNTName
  objRecordSet.MoveNext
Loop

' Clean up.
objConnection.Close
Set objRootDSE = Nothing
Set objCommand = Nothing
Set objConnection = Nothing
Set objRecordSet = Nothing 

-- 
Richard
Microsoft MVP Scripting and ADSI
HilltopLab web site - http://www.rlmueller.net
--

Relevant Pages

  • Re: Password never expires-cant force user to change password
    ... I'm just not a very good script writer and am not very confident. ... > password policy other than the fact that instead of thinking that UserA has ... > 90 days until their password expires, after you run the script UserA's ... >> expiration dates are staggered by department. ...
    (microsoft.public.windows.server.active_directory)
  • Re: instituting ad password policy
    ... Either script this or do it manually. ... ' Use ADO to search Active Directory. ... ' Filter on user objects that have password never expires flag set. ... ' Comma delimited list of attribute values to retrieve. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Force password Expiration to 5 days
    ... Then when the day arrives you can run a script or program that either: ... Expires everyones password, ... I have a VBScript program that converts ... A filter to retrieve all users that have not change their password since ...
    (microsoft.public.windows.server.scripting)
  • Re: looking for scripts for all usres with "password never expires"
    ... script which will remove the setting for some of them. ... The script above to retrieve users with the setting "Password Never Expires" ... but I would retrieve the value of the distinguishedName attribute ...
    (microsoft.public.scripting.vbscript)
  • Re: password never expires
    ... Set objCommand = CreateObject ... Set objConnection = CreateObject ... > In my requirement i need to uncheck both the> 1) "user cannot change password"> 2) "Password never expires" checkboxes. ...
    (microsoft.public.win2000.active_directory)