unchecking the ‘password never expires’

80 pts.
Tags:
Active Directory Users and Computers
GPO
Security audits
Windows Server 2003
Hi, I have a number of domain users in Windows 2003 Server Active Directory Users and Computers. I believe these users to have the 'password never expires' check box ticked in their accounts. I do not know who or where their accounts reside, therefore, I would like to know how to obtain a list of these users in order to remove the tick and hence enable the expiration peroid. Unfortunatley the use of a GPO to enforce the policy has never been used. However, after locating and removing all those users with 'password never expires' enabled I intend to use a GPO to prevent AD accounts from never expiring. I hope I've explained myself well. Thanks.

Answer Wiki

Thanks. We'll let you know when a new response is added.

Here is an example using a command line to process user objects setting them to expire and the expiration time interval.

You need the Fully Quallified User name for DSMod. DSQuery is an easy method to obtain
In this example it uses DSQuery to find all users under a specific OU and pipes to DSMod to
set password expiration rtime and set password to expire.
Use -scope subtree to include every OU under the starting OU in the search as well
Change the -limit for number of objects as requried for your environment
You can use DSQuery to generate a list of all user objects in th edomain and then filter the list as needed.
Use a FOR loop to process the list through DSMod.

<pre>dsquery user CN=Users,DC=MyDCPart3,DC=MyDCPart2,MyDCPart1 -scope onelevel -limit 60000|dsmod user -acctexpires 120 -pwdneverexpires NO
</pre>

You will need the server support tools intalled on the system from which you run the script for
the DS utilities. Review the options in the DS tools for ideas on what information you can pull
as well as what you can do.

——————————–

Here is a script that will build an Excel spreadsheet for you with a lot of user information. You will only need to tweak it a bit to get the flag setting for ‘password never expires’. The info as to the parameter’s name is readily available out there – just Google it :-)

This is not the product of my work effort, but was a big help back in the day when I was doing AD work and needed examples from which to learn. I’ve lost the name of the source, but if anyone knows, please share it with us. It was, to the best of my knowledge, released as public domain code. If that is not true, I will withdraw the code immediately.
—–> This is part of a book titled, Windows Script Host, and the script is copyrighted Tim Hill 1998. Doesnt seem to be under GNU license.

<pre>
‘ Dump user accounts to an Excel spreadsheet

‘ Explicit variable declaration and standard globals
Option Explicit
Dim g_sScriptPath, g_sScriptName, g_sScriptFolder, g_sVersion
Dim g_nTraceLevel
Dim g_oShell, g_oFSO
Dim s, ix, i

‘ Set standard globals and create global objects
g_sVersion = “1.0″
g_sScriptPath = Wscript.ScriptFullName
g_sScriptName = Wscript.ScriptName
g_sScriptFolder = Left(g_sScriptPath, Len(g_sScriptPath) – Len(g_sScriptName))
Set g_oShell = CreateObject(“Wscript.Shell”)
Set g_oFSO = CreateObject(“Scripting.FileSystemObject”)

‘ Setup trace control from WSHTRACE environment variable
i = g_oShell.Environment(“Process”).Item(“WSHTRACE”)
If IsNumeric(i) Then g_nTraceLevel = CInt(i) Else g_nTraceLevel = 0

‘ Check for -help, -? etc help request on command line
If Wscript.Arguments.Count > 0 Then
s = LCase(Wscript.Arguments(0))
If (s = “-help”) Or (s = “-?”) Or (s = “/help”) Or (s = “/?”) Then
ShowHelpMessage
Wscript.Quit(1)
End If
End If

‘ Show signon banner, then call Main function
ix = Instr(g_sScriptName, “.”)
If ix <> 0 Then s = Left(g_sScriptName, ix – 1) Else s = g_sScriptName
Wscript.Echo s & ” version ” & g_sVersion & vbCRLF
i = Main

‘ Release standard global objects, then exit script
Set g_oFSO = Nothing
Set g_oShell = Nothing
Wscript.Quit(i)

Function Main
Trace 1, “+++Main”
Dim sAdsPath, sExcelPath, oSheet, oExcel, oUser, oAdsObj

‘ Validate command line and get args
If Wscript.Arguments.Count < 2 Then
ShowHelpMessage
Wscript.Quit(1)
End If
sAdsPath = “WinNT://” & Wscript.Arguments(0)
sExcelPath = g_oFSO.GetAbsolutePathName(Wscript.Arguments(1))

‘ Prepare ADSI computer/domain object
On Error Resume Next
Set oAdsObj = GetObject(sAdsPath)
If Err.Number <> 0 Then
Wscript.Echo sAdsPath & “: not found (0x” & Hex(Err.Number) & “)”
Wscript.Quit(Err.Number)
End If
On Error Goto 0

‘ Prepare spreadsheet
Set oExcel = CreateObject(“Excel.Application”)
oExcel.Workbooks.Add
oExcel.ActiveWorkbook.Worksheets.Add
Set oSheet = oExcel.ActiveWorkbook.Worksheets(1)
oSheet.Cells.Font.Size = 8
oSheet.Name = “User Dump”
oSheet.Cells(1,1).Value = “Dump of User Accounts on: ” & Wscript.Arguments(0)
oSheet.Cells(1,1).Font.Bold = True
oSheet.Cells(1,1).Font.Size = 10
oSheet.Range(“A3:I3″).Font.Bold = True
oSheet.Range(“A3:I3″).Interior.Color = RGB(192,192,192)
SetupCol oSheet, 3, 1, 12, “Name”
SetupCol oSheet, 3, 2, 18, “Full Name”
SetupCol oSheet, 3, 3, 10, “Home Drive”
SetupCol oSheet, 3, 4, 12, “Home Dir”
SetupCol oSheet, 3, 5, 12, “Login Script”
SetupCol oSheet, 3, 6, 8, “User Flags”
SetupCol oSheet, 3, 7, 12, “Profile”
SetupCol oSheet, 3, 8, 36, “Description”
SetupCol oSheet, 3, 9, 36, “Groups”

‘ Enumerate all users in the computer/domain
oAdsObj.Filter = Array(“User”) ‘ Filter user accounts only
ix = 0
For Each oUser In oAdsObj ‘ For each user account..
DumpAccount oSheet, ix, oUser ‘ Go add to sheet
ix = ix + 1 ‘ Bump index
Next

‘ Save spreadsheet and close
oExcel.ActiveWorkbook.SaveAs sExcelPath
oExcel.ActiveWorkbook.Close
Set oSheet = Nothing
Set oExcel = Nothing
Set oAdsObj = Nothing

‘ Return value is passed to Wscript.Quit as script exit code
Main = 0
End Function

Sub SetupCol(oSheet, nRow, nCol, nWidth, sTitle)
oSheet.Cells(nRow, nCol).Value = sTitle
oSheet.Cells(nRow, nCol).ColumnWidth = nWidth
End Sub

Sub DumpAccount(oSheet, ix, oUser)
Dim oObj, sList

‘ Build group list
sList = “”
For Each oObj In oUser.Groups
If sList = “” Then
sList = oObj.Name
Else
sList = sList & “, ” & oObj.Name
End If
Next

‘ Setup cell values
oSheet.Cells(4 + ix, 1).Value = oUser.Name
oSheet.Cells(4 + ix, 2).Value = oUser.FullName
oSheet.Cells(4 + ix, 3).Value = oUser.HomeDirDrive
oSheet.Cells(4 + ix, 4).Value = oUser.HomeDirectory
oSheet.Cells(4 + ix, 5).Value = oUser.LoginScript
oSheet.Cells(4 + ix, 6).Value = “0x” & Hex(oUser.UserFlags)
oSheet.Cells(4 + ix, 7).Value = oUser.Profile
oSheet.Cells(4 + ix, 8).Value = oUser.Description
oSheet.Cells(4 + ix, 9).Value = sList
End Sub

Sub ShowHelpMessage
Trace 1, “+++ShowHelpMessage”
Wscript.Echo “usage: dumpusers <computer|domain> <xls-file>”
Wscript.Echo
Wscript.Echo “Dumps user account information into the specified Excel spreadsheet file. Specify either a computer name or a domain name. To improve performance, append “”,computer”””
Wscript.Echo “to computer names and “”,domain”” to domains name.”
Wscript.Echo “For example:”
Wscript.Echo
Wscript.Echo ” dumpusers mydomain,domain mydomain.xls”
Wscript.Echo
Wscript.Echo “This will dump users in the domain MYDOMAIN to MYDOMAIN.XLS”
End Sub

Sub Trace(nLevel, sText)
if g_nTraceLevel > nLevel Then Wscript.Echo sText
End Sub
</pre>

Best of luck – i hope this helps.

Discuss This Question: 4  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Shamoh
    Hi SANManJax, Can you tel me here to type this coding.
    40 pointsBadges:
    report
  • Jam
    [...] unchecking the ‘password never expires‘ [...]
    0 pointsBadges:
    report
  • Amardeep1981
    How to execute this script? Please elaborate briefly..
    120 pointsBadges:
    report
  • Jam
    [...] unchecking the â??password never expiresâ?? [...]
    0 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following