User Account Password Expiration Date

Discussion in 'Active Directory' started by stosti, Jan 23, 2006.

  1. stosti

    stosti Guest

    How do I look into the directory and see what day a users password expires?
    How do I change this date? When a user changes their password and they keep
    getting locked out in the system how do I tell where they are getting locked
    out from?

    Thank You,
    Scott
     
    stosti, Jan 23, 2006
    #1
    1. Advertisements

  2. See tip 9752 » How can I set environment variables to a user's password expiration date and time?
    in the 'Tips & Tricks' at http://www.jsifaq.com
    You can't.
    The authenticating DC??
    %LOGONSERVER%
    Jerold Schulman
    Windows Server MVP
    JSI, Inc.
    http://www.jsiinc.com
    http://www.jsifaq.com
     
    Jerold Schulman, Jan 23, 2006
    #2
    1. Advertisements

  3. stosti

    stosti Guest

    So i cut 9752 and paste into notepad and save the files as a batch file?
    Will this show all user password expiration dates or the one I'm logged in as?

    I understand to look on the logon domain controller... I was hoping there
    was an easier way! :-(
     
    stosti, Jan 23, 2006
    #3
  4. stosti

    stosti Guest

    Also what is the easiest way to tell from a users machine or other what
    domain controller authenticated them?

    Thanks!!!
     
    stosti, Jan 23, 2006
    #4
  5. See the parameters,
    UserDN is a user's distinguished Name, like "CN=Jerold Schulman,CN=Users,DC=JSIINC,DC=COM".

    DateExp is a call directed environment variable that will contain UserDN's password expiration date.

    TimeExp is a call directed environment variable that will contain UserDN's password expiration time.

    It returns the Date/Time of password expiration for each user DN you call it with.

    You can use Adfind freeware to retrieve them all, tip 5898 » Freeware ADFind in the 'Tips & Tricks' at http://www.jsifaq.com

    @echo off
    setlocal ENABLEDELAYEDEXPANSION
    set qry=adfind -dsq -default -f "&(objectcategory=person)"
    set DateExp=NULL
    set TimeExp=NULL
    for /f "Tokens=*" %%a in ('%qry%') do (
    call WhenPwdExp %%a DateExp TimeExp
    @echo %%a !DateExp! !TimeExp!
    set DateExp=NULL
    set TimeExp=NULL
    )
    endlocal

    NOTE: I believe you will get an error for each user that has never logged on.
    Jerold Schulman
    Windows Server MVP
    JSI, Inc.
    http://www.jsiinc.com
    http://www.jsifaq.com
     
    Jerold Schulman, Jan 23, 2006
    #5
  6. From a user's computer, simply type @echo %LOGONSERVER%
    to display the contents of the LOGONSERVER environment variable.

    Jerold Schulman
    Windows Server MVP
    JSI, Inc.
    http://www.jsiinc.com
    http://www.jsifaq.com
     
    Jerold Schulman, Jan 23, 2006
    #6
  7. stosti

    Cary Shultz Guest

    Scott,

    In addition to what Jerold has stated (and I would spend some time at his
    web site if I might be so bold to suggest this) you might want to look at
    the ALTools.exe (Account Lockout Tools). Here is an article that might be
    helpful:

    http://www.windowsecurity.com/pages/article_p.asp?id=1362

    Here is the URL to the download:

    http://www.microsoft.com/downloads/...9C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en

    I use these in WIN2000 environments and this tool set is W*O*N*D*E*R*F*U*L.
    They also work in a WIN2003 environment. I would urge you to use them.

    And, you could use set l (that is a lower case letter 'L'....) at a command
    prompt on each system to tell you against which Domain Controller that user
    authenticated. This will give you that one piece of information. You could
    use simply 'set' at a command prompt to get a whole list of information
    (including LOGONSERVER).
     
    Cary Shultz, Jan 30, 2006
    #7
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.