Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

script to detect password expiration for local account

53 views
Skip to first unread message

cybercoaster

unread,
Apr 2, 2009, 1:30:02 PM4/2/09
to
Hello,

I am looking for a script that can dump the expiration date of all local user
accounts. The only scripts I can seem to locate deal with one user and for
Active Directory. Can anyone point me in the right direction?

Thanks.

Richard Mueller [MVP]

unread,
Apr 2, 2009, 2:27:11 PM4/2/09
to

"cybercoaster" <u50904@uwe> wrote in message news:94032db9b06ea@uwe...

You must use the WinNT provider with local user accounts. You can use the
maxPasswordAge and passwordAge properties (both in seconds) to determine
when the password will expire (or if it is already expired). In addition,
you should use the userFlags property to check if the password can expire
for the user. For example (not tested):
====
Option Explicit

Dim objNetwork, strComputer, objComputer, objUser, lngFlag
Dim lngMaxPwdAge, lngPwdAge, dtmExpire

Const ADS_UF_PASSWD_CANT_CHANGE = &H10
Const ADS_UF_DONT_EXPIRE_PASSWD = &H10000

' Retrieve NetBIOS name of local computer.
Set objNetwork = CreateObject("Wscript.Network")
strComputer = objNetwork.ComputerName

' Bind to local computer object.
Set objComputer = GetObject("WinNT://" & strComputer)

' Filter on user objects.
objComputer.Filter = Array("user")

' Enumerate all local users.
For Each objUser In objComputer
' Retrieve values.
lngFlag = objUser.userFlags
lngMaxPwdAge = CLng(objUser.maxPasswordAge / 86400)
lngPwdAge = Clng(objUser.passwordAge / 86400)
' Check if password can expire or be changed.
If (lngFlag And ADS_UF_PASSWD_CANT_CHANGE) <> 0 Then
Wscript.Echo objUser.Name & ",<Password cannot change>"
ElseIf(lngFlag And ADS_UF_DONT_EXPIRE_PASSWD) <> 0 Then
Wscript.Echo objUser.Name & ",<Password does not expire>"
ElseIf (lngMaxPwdAge > lngPwdAge) Then
' Calculate when password will expire.
dtmExpire = DateAdd("d", Now(), lngMaxPwdAge - lngPwdAge)
Wscript.Echo objUser.Name & "," & dtmExpire
Else
Wscript.Echo objUser.Name & ",<Password expired>"
End If
Next

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--


cybercoaster

unread,
Apr 2, 2009, 3:23:09 PM4/2/09
to
Thanks, that looks promising. I am pretty green on scripts and cant get this
to run. Trying to figure it out now (getting Expected end of statement). I
found some other examples on
http://www.microsoft.com/technet/scriptcenter/resources/qanda/apr07/hey0419.mspx
but those come back saying all the account dont expire. I even created a test
user and it didnt say it expired - although I know they do. Yours looks like
it does the actual date calculations is what I need.

Richard Mueller [MVP] wrote:
>> Hello,
>>
>[quoted text clipped - 4 lines]

Richard Mueller [MVP]

unread,
Apr 2, 2009, 4:36:49 PM4/2/09
to
I suspect word wrapping broke up one or more lines in the program I posted.
I ran the program before I posted it and got no such error. I've tested
again and it works for me.

The error you got indicates that one or more statements was wrapped onto two
lines. The error message should have indicated a line number, which helps to
troubleshoot.

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--

"cybercoaster" <u50904@uwe> wrote in message news:94042a89b30b6@uwe...

cybercoaster via WinServerKB.com

unread,
Apr 3, 2009, 9:32:48 AM4/3/09
to
Yip, I did find the errors. Thanks so much for your help!

Richard Mueller [MVP] wrote:
>I suspect word wrapping broke up one or more lines in the program I posted.
>I ran the program before I posted it and got no such error. I've tested
>again and it works for me.
>
>The error you got indicates that one or more statements was wrapped onto two
>lines. The error message should have indicated a line number, which helps to
>troubleshoot.
>

>> Thanks, that looks promising. I am pretty green on scripts and cant get
>> this

>[quoted text clipped - 56 lines]
>>> End If
>>>Next

--
Message posted via http://www.winserverkb.com

cybercoaster via WinServerKB.com

unread,
Apr 3, 2009, 10:09:29 AM4/3/09
to
To expand a little further on this script, can it pull last user logon date?
I looked at the ADS_USER_FLAG_ENUM at
http://msdn.microsoft.com/en-us/library/aa772300.aspx but dont see that value
there.

Richard Mueller [MVP] wrote:
>I suspect word wrapping broke up one or more lines in the program I posted.
>I ran the program before I posted it and got no such error. I've tested
>again and it works for me.
>
>The error you got indicates that one or more statements was wrapped onto two
>lines. The error message should have indicated a line number, which helps to
>troubleshoot.
>

>> Thanks, that looks promising. I am pretty green on scripts and cant get
>> this

>[quoted text clipped - 56 lines]
>>> End If
>>>Next

--
Message posted via WinServerKB.com
http://www.winserverkb.com/Uwe/Forums.aspx/windows-server-scripting/200904/1

cybercoaster via WinServerKB.com

unread,
Apr 3, 2009, 9:32:59 AM4/3/09
to
Yip, I did find the errors. Thanks so much for your help!

Richard Mueller [MVP] wrote:
>I suspect word wrapping broke up one or more lines in the program I posted.
>I ran the program before I posted it and got no such error. I've tested
>again and it works for me.
>
>The error you got indicates that one or more statements was wrapped onto two
>lines. The error message should have indicated a line number, which helps to
>troubleshoot.
>

>> Thanks, that looks promising. I am pretty green on scripts and cant get
>> this

>[quoted text clipped - 56 lines]
>>> End If
>>>Next

--
Message posted via http://www.winserverkb.com

Richard Mueller [MVP]

unread,
Apr 3, 2009, 10:43:36 AM4/3/09
to
You can retrieve the lastLogin attribute of the user object. However, an
error is raised if the user has never logged in. You can trap the error, for
example:
===========
Dim dtmLastLogin

' Enumerate all local users.
For Each objUser In objComputer
' Retrieve values.
lngFlag = objUser.userFlags
lngMaxPwdAge = CLng(objUser.maxPasswordAge / 86400)
lngPwdAge = Clng(objUser.passwordAge / 86400)

On Error Resume Next
dtmLastLogin = objUser.lastLogin
If (Err.Number <> 0) Then
dtmLastLogin = "<Never>"
End If
On Error GoTo 0


' Check if password can expire or be changed.
If (lngFlag And ADS_UF_PASSWD_CANT_CHANGE) <> 0 Then

Wscript.Echo objUser.Name & ",<Password cannot change>," &
dtmLastLogin


ElseIf(lngFlag And ADS_UF_DONT_EXPIRE_PASSWD) <> 0 Then

Wscript.Echo objUser.Name & ",<Password does not expire>," &
dtmLastLogin


ElseIf (lngMaxPwdAge > lngPwdAge) Then
' Calculate when password will expire.
dtmExpire = DateAdd("d", Now(), lngMaxPwdAge - lngPwdAge)

Wscript.Echo objUser.Name & "," & dtmExpire & "," & dtmLastLogin
Else
Wscript.Echo objUser.Name & ",<Password expired>," & dtmLastLogin
End If
Next

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--

"cybercoaster via WinServerKB.com" <u50904@uwe> wrote in message
news:940e0038d881e@uwe...

cybercoaster via WinServerKB.com

unread,
Apr 16, 2009, 11:02:16 AM4/16/09
to
Been hectic around here, just wanted to drop a big thank you for your help!
The script works perfect!

>> To expand a little further on this script, can it pull last user logon
>> date?

>[quoted text clipped - 19 lines]

0 new messages