Home > IT Answers > Windows Server > unchecking the ‘password never expires’
Jam
80 pts.
 unchecking the ‘password never expires’
Active Directory Users and Computers, GPO, Security audits, Windows Server 2003
Hi, I have a number of domain users in Windows 2003 Server Active Directory Users and Computers. I believe these users to have the 'password never expires' check box ticked in their accounts. I do not know who or where their accounts reside, therefore, I would like to know how to obtain a list of these users in order to remove the tick and hence enable the expiration peroid. Unfortunatley the use of a GPO to enforce the policy has never been used. However, after locating and removing all those users with 'password never expires' enabled I intend to use a GPO to prevent AD accounts from never expiring. I hope I've explained myself well. Thanks.

Software/Hardware used:
ASKED: August 28, 2009  2:45 PM
UPDATED: November 3, 2010  7:21 PM
RELATED QUESTIONS
Answer Wiki:
Here is an example using a command line to process user objects setting them to expire and the expiration time interval. You need the Fully Quallified User name for DSMod. DSQuery is an easy method to obtain In this example it uses DSQuery to find all users under a specific OU and pipes to DSMod to set password expiration rtime and set password to expire. Use -scope subtree to include every OU under the starting OU in the search as well Change the -limit for number of objects as requried for your environment You can use DSQuery to generate a list of all user objects in th edomain and then filter the list as needed. Use a FOR loop to process the list through DSMod. <pre>dsquery user CN=Users,DC=MyDCPart3,DC=MyDCPart2,MyDCPart1 -scope onelevel -limit 60000|dsmod user -acctexpires 120 -pwdneverexpires NO </pre> You will need the server support tools intalled on the system from which you run the script for the DS utilities. Review the options in the DS tools for ideas on what information you can pull as well as what you can do. -------------------------------- Here is a script that will build an Excel spreadsheet for you with a lot of user information. You will only need to tweak it a bit to get the flag setting for 'password never expires'. The info as to the parameter's name is readily available out there - just Google it :-) This is not the product of my work effort, but was a big help back in the day when I was doing AD work and needed examples from which to learn. I've lost the name of the source, but if anyone knows, please share it with us. It was, to the best of my knowledge, released as public domain code. If that is not true, I will withdraw the code immediately. -----> This is part of a book titled, Windows Script Host, and the script is copyrighted Tim Hill 1998. Doesnt seem to be under GNU license. <pre> ' Dump user accounts to an Excel spreadsheet ' Explicit variable declaration and standard globals Option Explicit Dim g_sScriptPath, g_sScriptName, g_sScriptFolder, g_sVersion Dim g_nTraceLevel Dim g_oShell, g_oFSO Dim s, ix, i ' Set standard globals and create global objects g_sVersion = "1.0" g_sScriptPath = Wscript.ScriptFullName g_sScriptName = Wscript.ScriptName g_sScriptFolder = Left(g_sScriptPath, Len(g_sScriptPath) - Len(g_sScriptName)) Set g_oShell = CreateObject("Wscript.Shell") Set g_oFSO = CreateObject("Scripting.FileSystemObject") ' Setup trace control from WSHTRACE environment variable i = g_oShell.Environment("Process").Item("WSHTRACE") If IsNumeric(i) Then g_nTraceLevel = CInt(i) Else g_nTraceLevel = 0 ' Check for -help, -? etc help request on command line If Wscript.Arguments.Count > 0 Then s = LCase(Wscript.Arguments(0)) If (s = "-help") Or (s = "-?") Or (s = "/help") Or (s = "/?") Then ShowHelpMessage Wscript.Quit(1) End If End If ' Show signon banner, then call Main function ix = Instr(g_sScriptName, ".") If ix <> 0 Then s = Left(g_sScriptName, ix - 1) Else s = g_sScriptName Wscript.Echo s & " version " & g_sVersion & vbCRLF i = Main ' Release standard global objects, then exit script Set g_oFSO = Nothing Set g_oShell = Nothing Wscript.Quit(i) Function Main Trace 1, "+++Main" Dim sAdsPath, sExcelPath, oSheet, oExcel, oUser, oAdsObj ' Validate command line and get args If Wscript.Arguments.Count < 2 Then ShowHelpMessage Wscript.Quit(1) End If sAdsPath = "WinNT://" & Wscript.Arguments(0) sExcelPath = g_oFSO.GetAbsolutePathName(Wscript.Arguments(1)) ' Prepare ADSI computer/domain object On Error Resume Next Set oAdsObj = GetObject(sAdsPath) If Err.Number <> 0 Then Wscript.Echo sAdsPath & ": not found (0x" & Hex(Err.Number) & ")" Wscript.Quit(Err.Number) End If On Error Goto 0 ' Prepare spreadsheet Set oExcel = CreateObject("Excel.Application") oExcel.Workbooks.Add oExcel.ActiveWorkbook.Worksheets.Add Set oSheet = oExcel.ActiveWorkbook.Worksheets(1) oSheet.Cells.Font.Size = 8 oSheet.Name = "User Dump" oSheet.Cells(1,1).Value = "Dump of User Accounts on: " & Wscript.Arguments(0) oSheet.Cells(1,1).Font.Bold = True oSheet.Cells(1,1).Font.Size = 10 oSheet.Range("A3:I3").Font.Bold = True oSheet.Range("A3:I3").Interior.Color = RGB(192,192,192) SetupCol oSheet, 3, 1, 12, "Name" SetupCol oSheet, 3, 2, 18, "Full Name" SetupCol oSheet, 3, 3, 10, "Home Drive" SetupCol oSheet, 3, 4, 12, "Home Dir" SetupCol oSheet, 3, 5, 12, "Login Script" SetupCol oSheet, 3, 6, 8, "User Flags" SetupCol oSheet, 3, 7, 12, "Profile" SetupCol oSheet, 3, 8, 36, "Description" SetupCol oSheet, 3, 9, 36, "Groups" ' Enumerate all users in the computer/domain oAdsObj.Filter = Array("User") ' Filter user accounts only ix = 0 For Each oUser In oAdsObj ' For each user account.. DumpAccount oSheet, ix, oUser ' Go add to sheet ix = ix + 1 ' Bump index Next ' Save spreadsheet and close oExcel.ActiveWorkbook.SaveAs sExcelPath oExcel.ActiveWorkbook.Close Set oSheet = Nothing Set oExcel = Nothing Set oAdsObj = Nothing ' Return value is passed to Wscript.Quit as script exit code Main = 0 End Function Sub SetupCol(oSheet, nRow, nCol, nWidth, sTitle) oSheet.Cells(nRow, nCol).Value = sTitle oSheet.Cells(nRow, nCol).ColumnWidth = nWidth End Sub Sub DumpAccount(oSheet, ix, oUser) Dim oObj, sList ' Build group list sList = "" For Each oObj In oUser.Groups If sList = "" Then sList = oObj.Name Else sList = sList & ", " & oObj.Name End If Next ' Setup cell values oSheet.Cells(4 + ix, 1).Value = oUser.Name oSheet.Cells(4 + ix, 2).Value = oUser.FullName oSheet.Cells(4 + ix, 3).Value = oUser.HomeDirDrive oSheet.Cells(4 + ix, 4).Value = oUser.HomeDirectory oSheet.Cells(4 + ix, 5).Value = oUser.LoginScript oSheet.Cells(4 + ix, 6).Value = "0x" & Hex(oUser.UserFlags) oSheet.Cells(4 + ix, 7).Value = oUser.Profile oSheet.Cells(4 + ix, 8).Value = oUser.Description oSheet.Cells(4 + ix, 9).Value = sList End Sub Sub ShowHelpMessage Trace 1, "+++ShowHelpMessage" Wscript.Echo "usage: dumpusers <computer|domain> <xls-file>" Wscript.Echo Wscript.Echo "Dumps user account information into the specified Excel spreadsheet file. Specify either a computer name or a domain name. To improve performance, append "",computer""" Wscript.Echo "to computer names and "",domain"" to domains name." Wscript.Echo "For example:" Wscript.Echo Wscript.Echo " dumpusers mydomain,domain mydomain.xls" Wscript.Echo Wscript.Echo "This will dump users in the domain MYDOMAIN to MYDOMAIN.XLS" End Sub Sub Trace(nLevel, sText) if g_nTraceLevel > nLevel Then Wscript.Echo sText End Sub </pre> Best of luck - i hope this helps.
Last Wiki Answer Submitted:  November 3, 2010  7:21 pm  by  Nnf97   4,235 pts.
All Answer Wiki Contributors:  Nnf97   4,235 pts. , SANManJax   300 pts.
To see all answers submitted to the Answer Wiki: View Answer History.


RSS - Discussions Help
Discuss This Question:
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

 

Hi SANManJax, Can you tel me here to type this coding.

Shamoh
 40 pts.
 

How to execute this script? Please elaborate briefly..

Amardeep1981
 115 pts.