Find expired Active Directory accounts and passwords

Active Directory user accounts that have gone untouched for a long time may have expired without either the user or administrator knowing about them. Writing a script to find expired accounts -- or expired passwords for accounts -- can be tedious, which is probably why Joe Richards of JoeWare.net came up with FindExpAcc.

FindExpAcc is a command-line tool that queries the local LDAP server for any expired accounts and returns the results in a comma-delimited format. The search can be for conventionally expired accounts or for accounts with expired passwords (it's either-or). It also offers a wealth of command-line options, which I'll outline here:

skipforced: Don't show accounts that have passwords that expired due to administrator intervention.

pwd: Check for password expiry rather than accounts.

dsq: Print only quoted DNs in response.

days n: Look ahead n days to see which accounts will have expired by then. Note that this only looks ahead in fixed 24-hour increments; it doesn't look from the beginning of a given day. Note also that if an account is expiring in a negative number of days, that's how many days it's already been expired!

...

To read more you must become a member of SearchEnterpriseDesktop.com

As an existing member of the TechTarget network please activate your SearchEnterpriseDesktop.com account 

By joining SearchEnterpriseDesktop.com you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.

TechTarget cares about your privacy. Read our Privacy Policy

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Endpoint security management tools MDOP for Windows 7 available now Microsoft's Online Desktop Manager caters to small IT shops Monitoring user activity with network analyzers Using third-party technologies with Microsoft's NAP Understanding Microsoft's NAP's internal and external components Microsoft's NAP can ensure security compliance Top 5 registry keys for Windows XP Microsoft releases WSUS 3 SP2 with Win 7, R2 support Using System Center Essentials as a patch management tool Troubleshooting Microsoft WSUS connectivity issues

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary system tray  (SearchEnterpriseDesktop.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

t n: Timeout value for slow connections (120 seconds by default).

excldn nn:nn:nn: Provide a case-insensitive set of strings for filtering objects from the output.

s scope: Change the scope of the LDAP search. The default is subtree; other values can include base and one.

h hostname: Change the default LDAP server, which is usually determined by Active Directory. If AD is not running, this needs to be specified. The hostname can be a machine name or an IP address.

About the author: Serdar Yegulalp is the editor of the Windows 2000 Power Users Newsletter. Check it out for the latest advice and musings on the world of Windows network administrators -- and please share your thoughts as well!

More information from SearchWindowsSecurity.com