Problem solve Get help with specific problems with your technologies, process and projects.

Find expired Active Directory accounts and passwords

Composing scripts for finding expired Active Directory accounts can be a time-consuming process. These tools can help ease the pain of account and password recovery.

Active Directory user accounts that have gone untouched for a long time may have expired without either the user or administrator knowing about them. Writing a script to find expired accounts -- or expired passwords for accounts -- can be tedious, which is probably why Joe Richards of came up with FindExpAcc.

FindExpAcc is a command-line tool that queries the local LDAP server for any expired accounts and returns the results in a comma-delimited format. The search can be for conventionally expired accounts or for accounts with expired passwords (it's either-or). It also offers a wealth of command-line options, which I'll outline here:

skipforced: Don't show accounts that have passwords that expired due to administrator intervention.

pwd: Check for password expiry rather than accounts.

dsq: Print only quoted DNs in response.

days n: Look ahead n days to see which accounts will have expired by then. Note that this only looks ahead in fixed 24-hour increments; it doesn't look from the beginning of a given day. Note also that if an account is expiring in a negative number of days, that's how many days it's already been expired!

t n: Timeout value for slow connections (120 seconds by default).

excldn nn:nn:nn: Provide a case-insensitive set of strings for filtering objects from the output.

s scope: Change the scope of the LDAP search. The default is subtree; other values can include base and one.

h hostname: Change the default LDAP server, which is usually determined by Active Directory. If AD is not running, this needs to be specified. The hostname can be a machine name or an IP address.

About the author: Serdar Yegulalp is the editor of the Windows 2000 Power Users Newsletter. Check it out for the latest advice and musings on the world of Windows network administrators -- and please share your thoughts as well!


More information from

This was last published in July 2005

Dig Deeper on Windows legacy operating systems

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.