Active Directory user accounts that have gone untouched for a long time may have expired without either the user or administrator knowing about them. Writing a script to find expired accounts -- or expired passwords for accounts -- can be tedious, which is probably why Joe Richards of JoeWare.net came up with FindExpAcc.
FindExpAcc is a command-line tool that queries the local LDAP server for any expired accounts and returns the results in a comma-delimited format. The search can be for conventionally expired accounts or for accounts with expired passwords (it's either-or). It also offers a wealth of command-line options, which I'll outline here:
skipforced: Don't show accounts that have passwords that expired due to administrator intervention.
pwd: Check for password expiry rather than accounts.
dsq: Print only quoted DNs in response.
days n: Look ahead n days to see which accounts will have expired by then. Note that this only looks ahead in fixed 24-hour increments; it doesn't look from the beginning of a given day. Note also that if an account is expiring in a negative number of days, that's how many days it's already been expired!
t n: Timeout value for slow connections (120 seconds by default).
excldn nn:nn:nn: Provide a case-insensitive set of strings for filtering objects from the output.
s scope: Change the scope of the LDAP search. The default is subtree; other values can include base and one.
h hostname: Change the default LDAP server, which is usually determined by Active Directory. If AD is not running, this needs to be specified. The hostname can be a machine name or an IP address.
About the author: Serdar Yegulalp is the editor of the Windows 2000 Power Users Newsletter. Check it out for the latest advice and musings on the world of Windows network administrators -- and please share your thoughts as well!
More information from SearchWindowsSecurity.com
- Tip: How to crack a password
- Tip: Password policy worst practices
- Tip: Checklist: Set account options to limit systems access