Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

looking for scripts for all usres with "password never expires"

33 views
Skip to first unread message

Chris

unread,
Oct 14, 2008, 2:10:01 AM10/14/08
to
single Windows 2003 native AD doamin. Need a script to report all users
who's account has been set with "password never expires". Also, anothe
script which will remove the setting for some of them. The input file will
be from prvious script but revised as needed.

Can someone provide or point me to a source?

Thanks.

Salvador Manaois III

unread,
Oct 14, 2008, 2:29:01 AM10/14/08
to
To check for users whose passwords never expire (extracted from Hey,
Scripting Guy!):

On Error Resume Next

Set objConnection = CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection

objCommand.Properties("Page Size") = 1000

objCommand.CommandText = _
"<LDAP://dc=fabrikam,dc=com>;" & _

"(&(objectCategory=User)(userAccountControl:1.2.840.113556.1.4.803:=65536));"
& _
"Name;Subtree"
Set objRecordSet = objCommand.Execute

objRecordSet.MoveFirst
Do Until objRecordSet.EOF
Wscript.Echo objRecordSet.Fields("Name").Value
objRecordSet.MoveNext
Loop


To set the password to expire (again, from the same source):

Set objUser = GetObject("LDAP://CN=myerken,OU=Finance,DC=Fabrikam,DC=com")

objUser.pwdLastSet = 0
objUser.SetInfo


--
Salvador Manaois III
MCSE MCSA CEH MCITP | Enterprise/Server Admin
Bytes & Badz : http://badzmanaois.blogspot.com

Richard Mueller [MVP]

unread,
Oct 14, 2008, 8:09:14 AM10/14/08
to

"Salvador Manaois III" <SalvadorM...@discussions.microsoft.com> wrote
in message news:56348609-C1A0-4F58...@microsoft.com...

The script above to retrieve users with the setting "Password Never Expires"
is fine, but I would retrieve the value of the distinguishedName attribute
rather than the "Name". You need the distinguishedName to bind to the user
object later if you intend to change any settings. To remove the "Password
Never Expires" setting you must bind to the user object, retrieve the value
of userAccountControl, toggle the appropriate bit to turn if off, and save
the new value. For example:
============
' Bit mask for "Password Never Expires".
' This is the value 65536 in hex.
Const ADS_UF_DONT_EXPIRE_PASSWD = &H10000

' Distinguished Name of user.
strDN = "cn=Jim Wilson,ou=West,dc=MyDomain,dc=com"

' Bind to user object
Set objUser = GetObjet("LDAP://" & strDN)

' Retrieve value of userAccountControl attribute.
lngFlag = objUser.userAccountControl

' Check if bit set.
If (lngFlag And ADS_UF_DONT_EXPIRE_PASSWD) <> 0 Then
' Bit is set, toggle the bit to turn if off.
lngFlag = lngFlag Xor ADS_UF_DONT_EXPIRE_PASSWD
' Save change.
objUser.userAccountControl = lngFlag
objUser.SetInfo
End If
========
You can code this in a loop where you read Distinguished Names from a a text
file. For example:
==========
Const ADS_UF_DONT_EXPIRE_PASSWD = &H10000
Const ForReading = 1

' Specify file of user Distinguished Names.
strFile = "c:\scripts\users.txt"

' Open the file for read access.
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objFile = objFSO.OpenTextFile(strFile, ForReading)

' Read file.
Do Until objFile.AtEndOfStream
strDN = Trim(objFile.ReadLine)
' Skip blank lines.
If (strDN <> "") Then
' Bind to user object
Set objUser = GetObjet("LDAP://" & strDN)

' Retrieve value of userAccountControl attribute.
lngFlag = objUser.userAccountControl

' Check if bit set.
If (lngFlag And ADS_UF_DONT_EXPIRE_PASSWD) <> 0 Then
' Bit is set, toggle the bit to turn if off.
lngFlag = lngFlag Xor ADS_UF_DONT_EXPIRE_PASSWD
' Save change.
objUser.userAccountControl = lngFlag
objUser.SetInfo
End If
End If
Loop

' Clean up.
objFile.Close
=========
The test to see if the bit is set (with the And operator) is prudent, as the
Xor operator toggles the bit. If the bit is not set, the Xor operator will
set it.

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--


Chris

unread,
Oct 14, 2008, 12:27:01 PM10/14/08
to
thanks everyone! Very helpful.

"Wiseman82" wrote:

> Hi Chris,
>
> You might find my app useful:
>
> http://www.wisesoft.co.uk/Products/PasswordControl/BulkPasswordControl/default.aspx
>
> There is a pre-defined query to return users with password never expires
> set. You can then use the bulk modify dialog to update the attribute:
>
> http://www.wisesoft.co.uk/Products/PasswordControl/BulkModify/Default.aspx
>
> If you still want a VBScript solution, you will be able to combine the
> script posted by Salvador with this one:
>
> http://www.wisesoft.co.uk/scripts/vbscript_enable-disable_password_never_expires.aspx
>
> Hope this helps,
>
> David
>
>
> "Chris" <Ch...@discussions.microsoft.com> wrote in message
> news:3F9082B1-8C1F-4CC9...@microsoft.com...

Paul Weterings

unread,
Oct 14, 2008, 6:37:28 PM10/14/08
to

Well its not a script, but here goes:

dsquery user | dsget user -samid -pwdneverexpires


--

/ ) Regards,
/ /_________
_|__|__) Paul Weterings
/ (O_) http://www.servercare.nl
__/ (O_)
____(O_)

0 new messages