Tip

Find expired Active Directory accounts and passwords

Active Directory user accounts that have gone untouched for a long time may have expired without either the user or administrator knowing about them. Writing a script to find expired accounts -- or expired passwords for accounts -- can be tedious, which is probably why Joe Richards of JoeWare.net came up with FindExpAcc.

FindExpAcc is a command-line tool that queries the local LDAP server for any expired accounts and returns the results in a comma-delimited format. The search can be for conventionally expired accounts or for accounts with expired passwords (it's either-or). It also offers a wealth of command-line options, which I'll outline here:

skipforced: Don't show accounts that have passwords that expired due to administrator intervention.

pwd: Check for password expiry rather than accounts.

dsq: Print only quoted DNs in response.

days n: Look ahead n days to see which accounts will have expired by then. Note that this only looks ahead in fixed 24-hour increments; it doesn't look from the beginning of a given day. Note also that if an account is expiring in a negative number of days, that's how many days it's already been expired!

t n: Timeout value for slow connections (120 seconds by default).

excldn nn:nn:nn: Provide a case-insensitive set of strings for filtering objects from the output.

s scope: Change the scope of the LDAP search. The default is subtree; other values can include base and one.

h hostname: Change the default LDAP server, which is usually determined by Active Directory. If AD is not running, this needs to be specified. The hostname can be a machine name or an IP address.

About the author: Serdar Yegulalp is the editor of the Windows 2000 Power Users Newsletter. Check it out for the latest advice and musings on the world of Windows network administrators -- and please share your thoughts as well!

 


More information from SearchWindowsSecurity.com
 

This was first published in July 2005

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.