Active Directory user accounts that have gone untouched for a long time may have expired without either the user...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
or administrator knowing about them. Writing a script to find expired accounts -- or expired passwords for accounts -- can be tedious, which is probably why Joe Richards of JoeWare.net came up with FindExpAcc.
FindExpAcc is a command-line tool that queries the local LDAP server for any expired accounts and returns the results in a comma-delimited format. The search can be for conventionally expired accounts or for accounts with expired passwords (it's either-or). It also offers a wealth of command-line options, which I'll outline here:
skipforced: Don't show accounts that have passwords that expired due to administrator intervention.
pwd: Check for password expiry rather than accounts.
dsq: Print only quoted DNs in response.
days n: Look ahead n days to see which accounts will have expired by then. Note that this only looks ahead in fixed 24-hour increments; it doesn't look from the beginning of a given day. Note also that if an account is expiring in a negative number of days, that's how many days it's already been expired!
t n: Timeout value for slow connections (120 seconds by default).
excldn nn:nn:nn: Provide a case-insensitive set of strings for filtering objects from the output.
s scope: Change the scope of the LDAP search. The default is subtree; other values can include base and one.
h hostname: Change the default LDAP server, which is usually determined by Active Directory. If AD is not running, this needs to be specified. The hostname can be a machine name or an IP address.
About the author: Serdar Yegulalp is the editor of the Windows 2000 Power Users Newsletter. Check it out for the latest advice and musings on the world of Windows network administrators -- and please share your thoughts as well!
More information from SearchWindowsSecurity.com
- Tip: How to crack a password
- Tip: Password policy worst practices
- Tip: Checklist: Set account options to limit systems access