How can I request users with an expired password in Active Directory?

Question

How can I request users with an expired password in Active Directory?

I need to query Active Directory for a list of users whose password expires. An obvious (and easy) way to do this:

dsquery user -stalepwd n

The problem is that I need to add additional filters to search for users who are in certain security groups. This is difficult to do with the dsquery user syntax, which has the -stalepwd option built in, so I used the "dsquery * -filter" parameter, which allows us to use the LDAP query syntax. Unfortunately, although it is relatively easy to apply other filters with an LDAP query, I have problems filtering users who have a password age greater than n.

Does anyone know the syntax (or if at all possible) for filtering old passwords using the dsquery * -filter method instead of the dsquery user -stalepwd method.

+4

active-directory ldap

Geoff armstrong Nov 18 '08 at 17:35

source share

2 answers

Alan · Answer 1 · 2008-11-18T21:40:17+0000

You can write an LDAP query that compares "expired" passwords by comparing the pwdLastSet attribute on a user object:

 (&(objectClass=person)(objectClass=User)(pwdLastSet<=n))

ActiveDirectory uses a very specific format for this timestamp. I believe this is a file-time, but I would double check on the Internet.

benPearce · Answer 2 · 2008-11-18T21:15:54+0000

There are more efficient tools than dsquery.

FindExpAcc from the application will do the same as stalepwd, and enable the filter through its -f.

The filter will look like this:

 &(objectCategory=user)(memberof=CN=User Group,OU=Test,DC=foo,dc=com)

Also check out the adfind and admod tools from joeware , which are more powerful than the command line query tools from Microsoft, but can be a little more difficult to learn.

How can I request users with an expired password in Active Directory?

More articles: