Users with pwd never expire, enabled and password is older than 90

Discussion in 'Scripting' started by Misha, May 3, 2006.

  1. Misha

    Misha Guest

    I have the script to enumerate the password never expire accounts and to
    include only the users accounts which are enabled and not disabled. I would
    like to include one more option which is to pull the users with passwords
    older than 90 days. Can someone help please.

    Here is what I have so far:

    On Error Resume Next

    Set objConnection = CreateObject("ADODB.Connection")
    Set objCommand = CreateObject("ADODB.Command")
    objConnection.Provider = "ADsDSOObject"
    objConnection.Open "Active Directory Provider"
    Set objCommand.ActiveConnection = objConnection

    objCommand.Properties("Page Size") = 1000

    objCommand.CommandText = _
    "<LDAP://dc=adrootqa,dc=bmogc,dc=net>;" & _
    "(&(objectCategory=user)" _
    & "(userAccountControl:1.2.840.113556.1.4.803:=65536)" _
    & "(!userAccountControl:1.2.840.113556.1.4.803:=2));" & _
    Set objRecordSet = objCommand.Execute

    Do Until objRecordSet.EOF
    Wscript.Echo objRecordSet.Fields("Name").Value
    Misha, May 3, 2006
    1. Advertisements

  2. Hi,

    You want to specify a value for the pwdLastSet attribute that corresponds to
    a date more than 90 days in the past. You would add another clause to your
    ADO filter for pwdLastSet less than (or equal to) some number. The trick is
    that the pwdLastSet attribute is Integer8, a 64-bit number representing the
    number 100-nanosecond intervals since 12:00 AM January 1, 1601. This date is
    in UTC (Coordinated Universal Time, which used to be called GMT), so
    technically the value depends on your time zone. You want the value
    representing the date 90 days in the past. I have a VBScript program that
    converts a given date to an Integer8 value linked here:

    In my time zone (CDT), the date 2/2/2006 12:00 AM corresponds to the
    Integer8 value 127833300000000000. There should be 18 digits, but the
    program returns a value rounded to the nearest second, so the last 8 digits
    (at least) are zeros. Your filter clause could be:

    Richard Mueller, May 3, 2006
    1. Advertisements

  3. Also, if a user has never had the password set, pwdLastSet will be zero. And
    the value can be set to zero to expire the password. So perhaps it is best
    to eliminate that. I would use the following:

    Richard Mueller, May 3, 2006
  4. Misha

    Black Guest


    I used DateDiff for the date value, maybe this will work.

    objCommand.CommandText = _
    "<LDAP://dc=adrootqa,dc=bmogc,dc=net>;" & _
    "(&(objectCategory=user)(pwdLastSet>=" & _
    (DateDiff("s", "01/01/1601", Now()-90) & "0000000") & ")" & _
    "(userAccountControl:1.2.840.113556.1.4.803:=65536)" & _
    "(!userAccountControl:1.2.840.113556.1.4.803:=2));" & _

    Black, May 3, 2006
  5. Misha

    Black Guest


    "...Strike that. Reverse it."
    -Willy Wonka

    "(&(objectCategory=user)(pwdLastSet<=" & _

    Black, May 3, 2006
  6. That method seems to work. It differs only by the time zone bias, which
    probably can be ignored for this. However, I would still add the clause:

    Richard Mueller, May 4, 2006
  7. Misha

    Misha Guest

    This is working. Thanks very much !

    Misha, May 4, 2006
  8. Misha

    Misha Guest

    This is working. Thanks very much !

    Misha, May 4, 2006
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.