Re: Poll AD Accounts set to "never expire"

Tech-Archive recommends: Speed Up your PC by fixing your registry

You could use DSRAZOR for Windows to do this. No scripting knowledge
required.
DSRAZOR is designed to report on many things just like this.

Go to www.visualclick.com/?source=020607noexpire
You can download the trial version and run the applet titled "Accounts that
never expire" in the "Assess AD/NTFS Security" section.
If you would like a free one-on-one web demonstration of how DSRAZOR works,
and how we can customize it to create other reports then sign up for an
evaluation.

--
Ken Aldrich
DSRAZOR for Windows
Visual Click Software, Inc.
www.visualclick.com

"Teki" <Teki@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:DBE784F1-EDD9-4866-B59B-D5807B748A1E@xxxxxxxxxxxxxxxx
Richard,

You have certainly blew my mind but I never run from a challenge; thanks
and I will break this apart so that I understand it before applying it.
You
guyz are awesome.
--
Teki


"Richard Mueller [MVP]" wrote:

Sorry. The relevant attribute of the user object is accountExpires. This
attribute is Integer8, which is a 64-bit number. Two values correspond to
never, 0 and 2^63-1 (which is 9,223,372,036,854,775,807). The first value
is
encountered if the account once had an expiration date, and you remove it
and select "Never" in the ADUC GUI. The second value is encountered if
the
account never had an expiration date. I have used the following ADO
search
filter with success:

strFilter = "(&(objectCategory=person)(objectClass=user)" _
& "(|(accountExpires=9223372036854775807)(accountExpires=0)))"

Surprising, since VBScript cannot represent integers larger than 2^53
exactly. This huge number gets passed to ADO as a string and is properly
handled. For example, I have used the VBScript program below to document
all
users whose accounts never expire:
==========
Option Explicit

Dim objRootDSE, strDNSDomain, objCommand, objConnection
Dim strBase, strFilter, strAttributes, strQuery, objRecordSet
Dim strNTName, strDN

' Determine DNS domain name.
Set objRootDSE = GetObject("LDAP://RootDSE";)
strDNSDomain = objRootDSE.Get("defaultNamingContext")

' Use ADO to search Active Directory.
Set objCommand = CreateObject("ADODB.Command")
Set objConnection = CreateObject("ADODB.Connection")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
objCommand.ActiveConnection = objConnection

' Search entire domain.
strBase = "<LDAP://"; & strDNSDomain & ">"

' Filter on user objects that do not expire.
strFilter = "(&(objectCategory=person)(objectClass=user)" _
& "(|(accountExpires=9223372036854775807)(accountExpires=0)))"

' Comma delimited list of attribute values to retrieve.
strAttributes = "sAMAccountName,distinguishedName"

' Construct the ADO query, using LDAP syntax.
strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"

' Run the query.
objCommand.CommandText = strQuery
objCommand.Properties("Page Size") = 100
objCommand.Properties("Timeout") = 30
objCommand.Properties("Cache Results") = False
Set objRecordSet = objCommand.Execute

' Enumerate the recordset and output the values retrieved.
Do Until objRecordSet.EOF
strNTName = objRecordSet.Fields("sAMAccountName").Value
strDN = objRecordSet.Fields("distinguishedName").Value
Wscript.Echo strNTName & "- " & strDN
objRecordSet.MoveNext
Loop
objRecordSet.Close

' Clean up.
objConnection.Close
Set objRootDSE = Nothing
Set objCommand = Nothing
Set objConnection = Nothing
Set objRecordSet = Nothing
========

For more on using ADO to search AD, see this link:

http://www.rlmueller.net/ADOSearchTips.htm

For a discussion of Account Expiration dates, see this link:

http://www.rlmueller.net/AccountExpires.htm

--
Richard
Microsoft MVP Scripting and ADSI
Hilltop Lab web site - http://www.rlmueller.net
--

"Teki" <Teki@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:09D32DEC-099C-471A-AE5B-5008C35625D4@xxxxxxxxxxxxxxxx
Richard,

Thanks for responding but I can retrieve accounts with passwords that
are
set to never expire; however, I am in need of determing which accounts
are
set to "never expire" ...it is the very last section on the accounts
page.

Thanks.
--
Teki






.