Err I have been meaning to make a tool available like this for some time... Even though I am on hiatus from writing joeware free tools at the moment I decided to do this as it is all based on previously created code and only a couple of hours of work.
I will try to release the tool on the website some time tonight. I put most all of it together last night. It is called FindExpAcc. Again, I just had to grab pieces from various other joeware tools and tweak it. It will dump out accounts that are expired (really expired) or it can dump out accounts with expired passwords (including accounts admin flagged as needing a password change). Output will be one of the following Quoted DN list (Expired accounts) Following quoted attribs: DN,cn,displayName,sAMAccountName,accountExpires,mail (Expired passwords) Following quoted attribs: DN,cn,displayName,sAMAccountName,pwdLastSet,pwdAge,mail It will allow you to specify how many days to go out. So like you can say, -days 10 and it will show all accounts that will be expired that day if nothing changes. Note that is a rough attempt since it doesn't calculate hours to midnight and adjusts the hours and searches that way, it simply takes # of days * 24 hours and converts that to hundred nanosecond intervals and builds the int8 value for the search. Overall this will be like unlock and be probably the fastest method out there for pulling these accounts. Note that I added a couple of filters so that it won't return Exchange System Mailbox accounts nor the kerberos TGT account. Many of the standard query options I have in the other tools (such as add to filter, bitwise, search base, search scope, etc) are available as well to custom tweak the resultant filter. Note that those changes can impact speed of the query. I added the mail attribute specifically if someone wants to script notifications to people with passwords that will expire. It isn't completely straightforward but all info needed should be in the query info returned for someone to implement in the script. I expect we will see several magazine and eZine articles pop out about this one and how to script around it like some of the other tools have enjoyed. joe EXAMPLES ======== F:\Dev\CPP\FindExpAcc>findexpacc FindExpAcc V01.00.00cpp Joe Richards ([EMAIL PROTECTED]) January 2005 Using server: 2k3dc01.joe.com Directory: Windows Server 2003 Base DN: DC=joe,DC=com Search completed... Records Returned: 0 Command completed successfully F:\Dev\CPP\FindExpAcc>findexpacc -h 2k3dc01 -days 3 FindExpAcc V01.00.00cpp Joe Richards ([EMAIL PROTECTED]) January 2005 Using server: 2k3dc01.joe.com Directory: Windows Server 2003 Base DN: DC=joe,DC=com Search completed... DN,cn,displayName,sAMAccountName,accountExpires,mail "cn=expuser,ou=testusersou,ou=testou,dc=joe,dc=com","expuser","expuser","exp user","2005/01/09-00:00:00","" Records Returned: 1 Command completed successfully F:\Dev\CPP\FindExpAcc>findexpacc -pwd FindExpAcc V01.00.00cpp Joe Richards ([EMAIL PROTECTED]) January 2005 Using server: 2k3dc01.joe.com Directory: Windows Server 2003 Base DN: DC=joe,DC=com Search completed... DN,cn,displayName,sAMAccountName,pwdLastSet,pwdAge,mail "cn=postmaster,ou=mailusers,ou=joeware2,ou=exchange,dc=joe,dc=com","postmast er","postmaster","postmaster","2004/06/12-20:23:02","0207","[EMAIL PROTECTED] re2.net" "cn=joetest,cn=users,dc=joe,dc=com","joetest","","joetest","2004/09/22-12:41 :12","0106","" "cn=normaluser,cn=users,dc=joe,dc=com","normaluser","NormalUser","normaluser ","2004/03/28-19:26:00","0283","" <SNIP> "cn=expuser,ou=testusersou,ou=testou,dc=joe,dc=com","expuser","expuser","exp user","0000/00/00-00:00:00","-0001","" Records Returned: 38 Command completed successfully F:\Dev\CPP\FindExpAcc>findexpacc -pwd -dsq "cn=postmaster,ou=mailusers,ou=joeware2,ou=exchange,dc=joe,dc=com" "cn=joetest,cn=users,dc=joe,dc=com" "cn=normaluser,cn=users,dc=joe,dc=com" <SNIP> "cn=expuser,ou=testusersou,ou=testou,dc=joe,dc=com" -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Wednesday, January 05, 2005 5:09 PM To: ActiveDir (E-mail) Subject: [ActiveDir] expiring accounts when a user quits or leaves, i began expiring the account rather than disabling it because exchange rus keeps querying disabled accounts for exchangeguid attribute and i think that puts a load on exchange and fills up the event log. my question is, when you expire an account, there is no nice reflection of that in the aduc gui. it just looks like a normal account. does anyone know how i can query all the accounts in my domain to see which have expired? thanks List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
