Re: Poll AD Accounts set to "never expire"
- From: "Richard Mueller [MVP]" <rlmueller-NOSPAM@xxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 5 Feb 2007 11:20:55 -0600
Sorry. The relevant attribute of the user object is accountExpires. This
attribute is Integer8, which is a 64-bit number. Two values correspond to
never, 0 and 2^63-1 (which is 9,223,372,036,854,775,807). The first value is
encountered if the account once had an expiration date, and you remove it
and select "Never" in the ADUC GUI. The second value is encountered if the
account never had an expiration date. I have used the following ADO search
filter with success:
strFilter = "(&(objectCategory=person)(objectClass=user)" _
& "(|(accountExpires=9223372036854775807)(accountExpires=0)))"
Surprising, since VBScript cannot represent integers larger than 2^53
exactly. This huge number gets passed to ADO as a string and is properly
handled. For example, I have used the VBScript program below to document all
users whose accounts never expire:
==========
Option Explicit
Dim objRootDSE, strDNSDomain, objCommand, objConnection
Dim strBase, strFilter, strAttributes, strQuery, objRecordSet
Dim strNTName, strDN
' Determine DNS domain name.
Set objRootDSE = GetObject("LDAP://RootDSE";)
strDNSDomain = objRootDSE.Get("defaultNamingContext")
' Use ADO to search Active Directory.
Set objCommand = CreateObject("ADODB.Command")
Set objConnection = CreateObject("ADODB.Connection")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
objCommand.ActiveConnection = objConnection
' Search entire domain.
strBase = "<LDAP://"; & strDNSDomain & ">"
' Filter on user objects that do not expire.
strFilter = "(&(objectCategory=person)(objectClass=user)" _
& "(|(accountExpires=9223372036854775807)(accountExpires=0)))"
' Comma delimited list of attribute values to retrieve.
strAttributes = "sAMAccountName,distinguishedName"
' Construct the ADO query, using LDAP syntax.
strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"
' Run the query.
objCommand.CommandText = strQuery
objCommand.Properties("Page Size") = 100
objCommand.Properties("Timeout") = 30
objCommand.Properties("Cache Results") = False
Set objRecordSet = objCommand.Execute
' Enumerate the recordset and output the values retrieved.
Do Until objRecordSet.EOF
strNTName = objRecordSet.Fields("sAMAccountName").Value
strDN = objRecordSet.Fields("distinguishedName").Value
Wscript.Echo strNTName & "- " & strDN
objRecordSet.MoveNext
Loop
objRecordSet.Close
' Clean up.
objConnection.Close
Set objRootDSE = Nothing
Set objCommand = Nothing
Set objConnection = Nothing
Set objRecordSet = Nothing
========
For more on using ADO to search AD, see this link:
http://www.rlmueller.net/ADOSearchTips.htm
For a discussion of Account Expiration dates, see this link:
http://www.rlmueller.net/AccountExpires.htm
--
Richard
Microsoft MVP Scripting and ADSI
Hilltop Lab web site - http://www.rlmueller.net
--
"Teki" <Teki@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:09D32DEC-099C-471A-AE5B-5008C35625D4@xxxxxxxxxxxxxxxx
Richard,are
Thanks for responding but I can retrieve accounts with passwords that
set to never expire; however, I am in need of determing which accounts are
set to "never expire" ...it is the very last section on the accounts page.
Thanks.
--
Teki
.
- Follow-Ups:
- Re: Poll AD Accounts set to "never expire"
- From: Teki
- Re: Poll AD Accounts set to "never expire"
- References:
- Re: Poll AD Accounts set to "never expire"
- From: Richard Mueller [MVP]
- Re: Poll AD Accounts set to "never expire"
- Prev by Date: Shell.application verb problem
- Next by Date: Re: help with this script
- Previous by thread: Re: Poll AD Accounts set to "never expire"
- Next by thread: Re: Poll AD Accounts set to "never expire"
- Index(es):
Relevant Pages
|
Loading
