Re: How to display users with expired password ?
bildos wrote:
> How to display users with expired password ?
> Any ideas for query ? The best will be query for "Active Directory Users
> and Computers"
>
Determining when the password expires for an account is not simple. See this
link:
http://msdn2.microsoft.com/en-us/library/ms974598.aspx
However, if you do a bit of work ahead of time, you can query for all users
that have not changed their password recently. For example, if passwords
must be reset every 60 days in your domain, you want users that have not
changed their password since 60 days ago, say November 13, 2007. The
pwdLastSet attribute of user objects has the date/time the password was last
set. However, it is Integer8, a 64-bit number representing the date/time (in
UTC) as the number of 100-nanosecond intervals since 12:00 AM January 1,
1601. I have a VBScript program that converts a date/time in your local time
zone to the corresponding Integer8 value linked here:
http://www.rlmueller.net/Programs/DateToInteger8.txt
Using this program I find that 12:00 AM November 13, 2007, corresponds to
the value (in my time zone):
128394072000000000
A query in ADUC for all users that have not changed their password since
November 13, 2007, (in my time zone) would be:
(&(objectCategory=person)(objectClass=user)(pwdLastSet<=128394072000000000))
Otherwise, I also have a VBScript program that documents the date/time when
every user in the domain last changed their password linked here:
http://www.rlmueller.net/PwdLastChanged.htm
A date/time of 1/1/1601 (January 1, 1601) means never. Also, you can use Joe
Richards' adfind utility. I believe the command to document when all users
last changed their password would be:
adfind -tdc -default -f "(&(objectCategory=person)(objectClass=user))"
pwdLastSet -sort pwdLastSet
You can get this free utility at:
http://joeware.net/freetools/tools/adfind/index.htm
--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab -
http://www.rlmueller.net
--