Poll AD Accounts set to "never expire"

Discussion in 'Scripting' started by Teki, Feb 3, 2007.

  1. Teki

    Teki Guest

    Greetings all,

    Interested in querying for all accounts that are set to never expire in AD,
    attempting to use common queries could not be found. Any assistance in the
    right direction would certainly be appreciated.
     
    Teki, Feb 3, 2007
    #1
    1. Advertisements

  2. To return all users with "Password Never Expires" set:

    "(&(objectCategory=person)(objectClass=user)" _
    & "(userAccountControl:1.2.840.113556.1.4.803:=65536))"
     
    Richard Mueller [MVP], Feb 3, 2007
    #2
    1. Advertisements

  3. Teki

    Harald Guest

    Below is a VBS script I have used for list expire date. Maybe you have to
    modify it according to your needs...


    Dim OU

    Dim objFileSystem, objOutputFile
    Dim strOutputFile

    OU="XX"
    'OU="YY"

    ' generate a filename base on the script name
    strOutputFile = "./" & Split(WScript.ScriptName & "-" & OU, "-Result.")(0) &
    ".txt"

    Set objFileSystem = CreateObject("Scripting.fileSystemObject")
    Set objOutputFile = objFileSystem.CreateTextFile(strOutputFile, TRUE)

    objCommand.Properties("Page Size") = 1000
    objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
    Wscript.Echo ("OU is: " & OU)
    If OU="XX" then
    objCommand.CommandText = _
    "SELECT AdsPath FROM 'LDAP://OU=XX,DC=euro,DC=xyz,DC=com' WHERE
    objectCategory='user'"
    Else
    objCommand.CommandText = _
    "SELECT AdsPath FROM 'LDAP://OU=YY,DC=euro,DC=xyz,DC=com' WHERE
    objectCategory='user'"
    end if
    Set objRecordSet = objCommand.Execute

    'objOutputFile.WriteLine("UserName#FullName#Description#AccExpDate#AccDisabled#LastLoginDate")


    objRecordSet.MoveFirst
    Do Until objRecordSet.EOF
    Set objUser = GetObject(objRecordSet.Fields("AdsPath").Value)

    If objUser.AccountExpirationDate = "1/1/1970" Or Err.Number
    = -2147467259 Then
    Wscript.Echo objUser.Name

    ' objOutputFile.WriteLine(objUser.Name & "#" & objUser.FullName & "#"
    & objUser.Description & "#" & objUser.AccountExpirationDate & "#" &
    objUser.AccountDisabled & "#" & objUser.LastLogin)
    ' Wscript.Echo objUser.Name & "#" & objUser.AccountExpirationDate &
    "#" & objUser.AccountDisabled

    End If

    objRecordSet.MoveNext
    Loop

    objOutputFile.Close
    Set objFileSystem = Nothing
    WScript.Quit(0)


    ' .write "USER AUHTENTICATED!<BR>"
    ' .Write "BadLoginCount: " & objUser.BadLoginCount & "<BR>"
    ' .write "Description: " & objUser.Description & "<BR>"
    ' .write "HomeDirectory: " & objUser.HomeDirectory & "<BR>"
    ' .write "IsAccountLocked: " & objUser.IsAccountLocked & "<BR>"
    ' .write "LastLogin: " & objUser.LastLogin & "<BR>"
    ' .write "LastLogoff: " & objUser.LastLogoff & "<BR>"
    ' .write "LoginHours: " & objUser.LoginHours & "<BR>"
    ' .write "LoginScript: " & objUser.LoginScript & "<BR>"
    ' .write "LoginWorkstations: " & objUser.LoginWorkstations & "<BR>"
    ' .write "MaxStorage: " & objUser.MaxStorage &"<BR>"
    ' .write "PasswordExpirationDate: " & objUser.PasswordExpirationDate &
    "<BR>"
    ' .write "PasswordMinimumLength: " & objUser.PasswordMinimumLength & "<BR>"
    ' .write "PasswordRequired: " & objUser.PasswordRequired & "<BR>"
    ' .write "Profile: " & objUser.Profile & "<BR>"
     
    Harald, Feb 3, 2007
    #3
  4. Teki

    Teki Guest

    Richard,

    Thanks for responding but I can retrieve accounts with passwords that are
    set to never expire; however, I am in need of determing which accounts are
    set to "never expire" ...it is the very last section on the accounts page.

    Thanks.
     
    Teki, Feb 4, 2007
    #4
  5. Teki

    Teki Guest

    Thanks Harald, I will give this ago as soon as I can brreak it apart to my
    understanding; I know nothing about vbs or scripting for that matter. Will
    let you know....will attempt using ADSI.
     
    Teki, Feb 4, 2007
    #5
  6. Sorry. The relevant attribute of the user object is accountExpires. This
    attribute is Integer8, which is a 64-bit number. Two values correspond to
    never, 0 and 2^63-1 (which is 9,223,372,036,854,775,807). The first value is
    encountered if the account once had an expiration date, and you remove it
    and select "Never" in the ADUC GUI. The second value is encountered if the
    account never had an expiration date. I have used the following ADO search
    filter with success:

    strFilter = "(&(objectCategory=person)(objectClass=user)" _
    & "(|(accountExpires=9223372036854775807)(accountExpires=0)))"

    Surprising, since VBScript cannot represent integers larger than 2^53
    exactly. This huge number gets passed to ADO as a string and is properly
    handled. For example, I have used the VBScript program below to document all
    users whose accounts never expire:
    ==========
    Option Explicit

    Dim objRootDSE, strDNSDomain, objCommand, objConnection
    Dim strBase, strFilter, strAttributes, strQuery, objRecordSet
    Dim strNTName, strDN

    ' Determine DNS domain name.
    Set objRootDSE = GetObject("LDAP://RootDSE")
    strDNSDomain = objRootDSE.Get("defaultNamingContext")

    ' Use ADO to search Active Directory.
    Set objCommand = CreateObject("ADODB.Command")
    Set objConnection = CreateObject("ADODB.Connection")
    objConnection.Provider = "ADsDSOObject"
    objConnection.Open "Active Directory Provider"
    objCommand.ActiveConnection = objConnection

    ' Search entire domain.
    strBase = "<LDAP://" & strDNSDomain & ">"

    ' Filter on user objects that do not expire.
    strFilter = "(&(objectCategory=person)(objectClass=user)" _
    & "(|(accountExpires=9223372036854775807)(accountExpires=0)))"

    ' Comma delimited list of attribute values to retrieve.
    strAttributes = "sAMAccountName,distinguishedName"

    ' Construct the ADO query, using LDAP syntax.
    strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"

    ' Run the query.
    objCommand.CommandText = strQuery
    objCommand.Properties("Page Size") = 100
    objCommand.Properties("Timeout") = 30
    objCommand.Properties("Cache Results") = False
    Set objRecordSet = objCommand.Execute

    ' Enumerate the recordset and output the values retrieved.
    Do Until objRecordSet.EOF
    strNTName = objRecordSet.Fields("sAMAccountName").Value
    strDN = objRecordSet.Fields("distinguishedName").Value
    Wscript.Echo strNTName & "- " & strDN
    objRecordSet.MoveNext
    Loop
    objRecordSet.Close

    ' Clean up.
    objConnection.Close
    Set objRootDSE = Nothing
    Set objCommand = Nothing
    Set objConnection = Nothing
    Set objRecordSet = Nothing
    ========

    For more on using ADO to search AD, see this link:

    http://www.rlmueller.net/ADOSearchTips.htm

    For a discussion of Account Expiration dates, see this link:

    http://www.rlmueller.net/AccountExpires.htm
     
    Richard Mueller [MVP], Feb 5, 2007
    #6
  7. Teki

    Teki Guest

    Richard,

    You have certainly blew my mind but I never run from a challenge; thanks
    and I will break this apart so that I understand it before applying it. You
    guyz are awesome.
    --
    Teki


     
    Teki, Feb 5, 2007
    #7
  8. Teki

    Ken Aldrich Guest

    You could use DSRAZOR for Windows to do this. No scripting knowledge
    required.
    DSRAZOR is designed to report on many things just like this.

    Go to www.visualclick.com/?source=020607noexpire
    You can download the trial version and run the applet titled "Accounts that
    never expire" in the "Assess AD/NTFS Security" section.
    If you would like a free one-on-one web demonstration of how DSRAZOR works,
    and how we can customize it to create other reports then sign up for an
    evaluation.

    --
    Ken Aldrich
    DSRAZOR for Windows
    Visual Click Software, Inc.
    www.visualclick.com

     
    Ken Aldrich, Feb 6, 2007
    #8
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.