Find expired Active Directory accounts and passwords

Composing scripts for finding expired Active Directory accounts can be a time-consuming process. These tools can help ease the pain of account and password recovery.

Active Directory user accounts that have gone untouched for a long time may have expired without either the user or administrator knowing about them. Writing a script to find expired accounts -- or expired passwords for accounts -- can be tedious, which is probably why Joe Richards of JoeWare.net came up with FindExpAcc.

FindExpAcc is a command-line tool that queries the local LDAP server for any expired accounts and returns the results in a comma-delimited format. The search can be for conventionally expired accounts or for accounts with expired passwords (it's either-or). It also offers a wealth of command-line options, which I'll outline here:

skipforced: Don't show accounts that have passwords that expired due to administrator intervention.

pwd: Check for password expiry rather than accounts.

dsq: Print only quoted DNs in response.

days n: Look ahead n days to see which accounts will have expired by then. Note that this only looks ahead in fixed 24-hour increments; it doesn't look from the beginning of a given day. Note also that if an account is expiring in a negative number of days, that's how many days it's already been expired!

t n: Timeout value for slow connections (120 seconds by default).

excldn nn:nn:nn: Provide a case-insensitive set of strings for filtering objects from the output.

s scope: Change the scope of the LDAP search. The default is subtree; other values can include base and one.

h hostname: Change the default LDAP server, which is usually determined by Active Directory. If AD is not running, this needs to be specified. The hostname can be a machine name or an IP address.

About the author: Serdar Yegulalp is the editor of the Windows 2000 Power Users Newsletter. Check it out for the latest advice and musings on the world of Windows network administrators -- and please share your thoughts as well!

 


More information from SearchWindowsSecurity.com
 

This was first published in July 2005

Dig deeper on Endpoint security management tools

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchVirtualDesktop

SearchWindowsServer

SearchExchange

Close