Results 1 to 5 of 5

Thread: How to get a listing of expired Active Directory user accounts ?

  1. #1
    Tom_Small Guest

    How to get a listing of expired Active Directory user accounts ?

    Hi,

    I need to get a list of user accounts that have expiry dates set and have
    expired.

    I have tried customising this vb script, obtained from the MS Technet site,
    no error generated but also no output:

    ___________________________________________________________________

    On Error Resume Next

    Set objUser = GetObject _
    ("LDAP://cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com")

    dtmAccountExpiration = objUser.AccountExpirationDate

    If Err.Number = -2147467259 Or dtmAccountExpiration = "1/1/1970" Then
    WScript.Echo "No account expiration date specified"
    Else
    WScript.Echo "Account expiration date: " & objUser.AccountExpirationDate
    End If
    ___________________________________________________________________


    Does anyone have a script that works ?
    Does anyone know if there is a LDAP string that can be put into an ADUC
    Query to list expired user accounts ?

    Our A/D servers are running Win2000 SP4
    We are using ADUC version 5.2.3790.0

    Any help/advice much appreciated.

    Tom Small
    Middlesex University
    London UK.

  2. #2
    neothwin Guest

    RE: How to get a listing of expired Active Directory user accounts ?

    Hi,

    dsquery * "ou=Management,dc=NA,dc=fabrikam,dc=com" -filter "
    (&(objectCategory=Person)(objectClass=User)(!accountExpires=0)(!accountExpires=9223372036854775807)) " -attr sAMAccountname displayName

    please try the above command which check accountExpires in LDAP.
    pls note word wrapping.
    if the output is the one you want, you can set output to a file.
    -----
    accountExpires

    The date when the account expires. This value represents the number of 100
    nanosecond intervals since January 1, 1601 (UTC). A value of 0 or
    0x7FFFFFFFFFFFFFFF (9223372036854775807) indicates that the account never
    expires.
    -----
    regards,
    neothwin

    "Tom_Small" wrote:

    > Hi,
    >
    > I need to get a list of user accounts that have expiry dates set and have
    > expired.
    >
    > I have tried customising this vb script, obtained from the MS Technet site,
    > no error generated but also no output:
    >
    > ___________________________________________________________________
    >
    > On Error Resume Next
    >
    > Set objUser = GetObject _
    > ("LDAP://cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com")
    >
    > dtmAccountExpiration = objUser.AccountExpirationDate
    >
    > If Err.Number = -2147467259 Or dtmAccountExpiration = "1/1/1970" Then
    > WScript.Echo "No account expiration date specified"
    > Else
    > WScript.Echo "Account expiration date: " & objUser.AccountExpirationDate
    > End If
    > ___________________________________________________________________
    >
    >
    > Does anyone have a script that works ?
    > Does anyone know if there is a LDAP string that can be put into an ADUC
    > Query to list expired user accounts ?
    >
    > Our A/D servers are running Win2000 SP4
    > We are using ADUC version 5.2.3790.0
    >
    > Any help/advice much appreciated.
    >
    > Tom Small
    > Middlesex University
    > London UK.


  3. #3
    Tom_Small Guest

    RE: How to get a listing of expired Active Directory user accounts

    Hi Neothwin,

    Thanks for your help. I ran the dsquery, just substituting my own OU and DC,
    and a full list of accounts that contain an expiry date was produced. After
    further searching and experimentation, I found that it is possible to
    actually only list accounts that have expired on or before a certain date.
    128120832000000000 equates to 31-December-2006.
    I added the string "(accountExpires<=128120832000000000)" into the query,
    and all accounts that expired on or before 31-December-2006 were listed. I
    also added "distinguishedName -limit 1000" which allows 1000 items to be
    listed and also lists the container name, which I am sure others may find
    useful. Therefore the dsquery I ended up using was:

    dsquery * "ou=Management,dc=NA,dc=fabrikam,dc=com" -filter "
    (&(objectCategory=Person)(objectClass=User)(!accountExpires=0)(!accountExpires=9223372036854775807)( accountExpires<=128120832000000000))"
    -attr sAMAccountname displayName distinguishedName -limit 1000


    The same principles worked in an ADUC Advanced Ldap query. The string I used
    was:

    (&(&(objectCategory=Person)(objectClass=User)(!accountExpires=0)(!accountExpires=9223372036854775807 )(accountExpires<=128120832000000000)))

    An advantage of using ADUC is that you can choose which columns to view on
    an ad hoc basis.

    Once again, a sincere "Thank You"

    Tom Small
    Middlesex University
    London UK.


    "neothwin" wrote:

    > Hi,
    >
    > dsquery * "ou=Management,dc=NA,dc=fabrikam,dc=com" -filter "
    > (&(objectCategory=Person)(objectClass=User)(!accountExpires=0)(!accountExpires=9223372036854775807)) " -attr sAMAccountname displayName
    >
    > please try the above command which check accountExpires in LDAP.
    > pls note word wrapping.
    > if the output is the one you want, you can set output to a file.
    > -----
    > accountExpires
    >
    > The date when the account expires. This value represents the number of 100
    > nanosecond intervals since January 1, 1601 (UTC). A value of 0 or
    > 0x7FFFFFFFFFFFFFFF (9223372036854775807) indicates that the account never
    > expires.
    > -----
    > regards,
    > neothwin
    >
    > "Tom_Small" wrote:
    >
    > > Hi,
    > >
    > > I need to get a list of user accounts that have expiry dates set and have
    > > expired.
    > >
    > > I have tried customising this vb script, obtained from the MS Technet site,
    > > no error generated but also no output:
    > >
    > > ___________________________________________________________________
    > >
    > > On Error Resume Next
    > >
    > > Set objUser = GetObject _
    > > ("LDAP://cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com")
    > >
    > > dtmAccountExpiration = objUser.AccountExpirationDate
    > >
    > > If Err.Number = -2147467259 Or dtmAccountExpiration = "1/1/1970" Then
    > > WScript.Echo "No account expiration date specified"
    > > Else
    > > WScript.Echo "Account expiration date: " & objUser.AccountExpirationDate
    > > End If
    > > ___________________________________________________________________
    > >
    > >
    > > Does anyone have a script that works ?
    > > Does anyone know if there is a LDAP string that can be put into an ADUC
    > > Query to list expired user accounts ?
    > >
    > > Our A/D servers are running Win2000 SP4
    > > We are using ADUC version 5.2.3790.0
    > >
    > > Any help/advice much appreciated.
    > >
    > > Tom Small
    > > Middlesex University
    > > London UK.


  4. #4
    Richard Mueller [MVP] Guest

    Re: How to get a listing of expired Active Directory user accounts ?

    As noted, a query for all users with accounts that expire would be:

    "(&(objectCategory=person)(objectClass=user)" _

    & "(!accountExpires=9223372036854775807)(!accountExpires=0))"



    The accountExpires attribute is Integer8, a 64-bit number representing the
    number of 100-nanosecond intervals since 12:00 AM Jan. 1, 1601. Code is
    required to convert the value to a readable date. A query for all users
    whose accounts have expired before May 17, 2007 (in my time zone) would be:



    "(&(objectCategory=person)(objectClass=user)" _

    & "(accountExpires<=128238516000000000)(!accountExpires=0))"



    For details and odd facts about accountExpires and the AccountExpirationDate
    property method, see this link:



    http://www.rlmueller.net/AccountExpires.htm



    For a VBScript program to convert a date/time value to the corresponding
    Integer8 (64-bit) value (adjusted for your time zone), see this link:



    http://www.rlmueller.net/Programs/DateToInteger8.txt


    --
    Richard Mueller
    Microsoft MVP Scripting and ADSI
    Hilltop Lab - http://www.rlmueller.net
    --



    "neothwin" <neothwin@discussions.microsoft.com> wrote in message
    news:A92B406C-C9C9-4AC5-B623-3D0BA1776BA8@microsoft.com...
    > Hi,
    >
    > dsquery * "ou=Management,dc=NA,dc=fabrikam,dc=com" -filter "
    > (&(objectCategory=Person)(objectClass=User)(!accountExpires=0)(!accountExpires=9223372036854775807)) "
    > -attr sAMAccountname displayName
    >
    > please try the above command which check accountExpires in LDAP.
    > pls note word wrapping.
    > if the output is the one you want, you can set output to a file.
    > -----
    > accountExpires
    >
    > The date when the account expires. This value represents the number of 100
    > nanosecond intervals since January 1, 1601 (UTC). A value of 0 or
    > 0x7FFFFFFFFFFFFFFF (9223372036854775807) indicates that the account never
    > expires.
    > -----
    > regards,
    > neothwin
    >
    > "Tom_Small" wrote:
    >
    >> Hi,
    >>
    >> I need to get a list of user accounts that have expiry dates set and have
    >> expired.
    >>
    >> I have tried customising this vb script, obtained from the MS Technet
    >> site,
    >> no error generated but also no output:
    >>
    >> ___________________________________________________________________
    >>
    >> On Error Resume Next
    >>
    >> Set objUser = GetObject _
    >> ("LDAP://cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com")
    >>
    >> dtmAccountExpiration = objUser.AccountExpirationDate
    >>
    >> If Err.Number = -2147467259 Or dtmAccountExpiration = "1/1/1970" Then
    >> WScript.Echo "No account expiration date specified"
    >> Else
    >> WScript.Echo "Account expiration date: " &
    >> objUser.AccountExpirationDate
    >> End If
    >> ___________________________________________________________________
    >>
    >>
    >> Does anyone have a script that works ?
    >> Does anyone know if there is a LDAP string that can be put into an ADUC
    >> Query to list expired user accounts ?
    >>
    >> Our A/D servers are running Win2000 SP4
    >> We are using ADUC version 5.2.3790.0
    >>
    >> Any help/advice much appreciated.
    >>
    >> Tom Small
    >> Middlesex University
    >> London UK.




  5. #5
    Richard Mueller [MVP] Guest

    Re: How to get a listing of expired Active Directory user accounts ?

    An example VBScript program to output all users with an expiration date is
    below. The program outputs the user Distinguished Name and when the account
    expires. This can be modified to output for all users, or only for users
    whose accounts have already expired. You could also substitute
    sAMAccountName for distinguishedName if desired. The output can be
    redirected to a text file. The program should be run at a command prompt
    with the cscript host.
    ======================
    Option Explicit

    Dim adoConnection, adoCommand
    Dim objRootDSE, strDNSDomain, strFilter, strQuery, adoRecordset
    Dim strDN, objShell, lngBiasKey, lngBias
    Dim lngDate, objDate, dtmAcctExp, k

    ' Obtain local time zone bias from machine registry.
    Set objShell = CreateObject("Wscript.Shell")
    lngBiasKey = objShell.RegRead("HKLM\System\CurrentControlSet\Control\" _
    & "TimeZoneInformation\ActiveTimeBias")
    If (UCase(TypeName(lngBiasKey)) = "LONG") Then
    lngBias = lngBiasKey
    ElseIf (UCase(TypeName(lngBiasKey)) = "VARIANT()") Then
    lngBias = 0
    For k = 0 To UBound(lngBiasKey)
    lngBias = lngBias + (lngBiasKey(k) * 256^k)
    Next
    End If

    ' Use ADO to search the domain.
    Set adoConnection = CreateObject("ADODB.Connection")
    Set adoCommand = CreateObject("ADODB.Command")
    adoConnection.Provider = "ADsDSOOBject"
    adoConnection.Open "Active Directory Provider"
    Set adoCommand.ActiveConnection = adoConnection

    ' Determine the DNS domain from the RootDSE object.
    Set objRootDSE = GetObject("LDAP://RootDSE")
    strDNSDomain = objRootDSE.Get("DefaultNamingContext")

    ' Filter to retrieve all user objects with accounts
    ' that expire.
    strFilter = "(&(objectCategory=person)(objectClass=user)" _
    & "(!accountExpires=0)(!accountExpires=9223372036854775807))"

    strQuery = "<LDAP://" & strDNSDomain & ">;" & strFilter _
    & ";distinguishedName,accountExpires;subtree"

    ' Run the query.
    adoCommand.CommandText = strQuery
    adoCommand.Properties("Page Size") = 100
    adoCommand.Properties("Timeout") = 30
    adoCommand.Properties("Cache Results") = False
    Set adoRecordset = adoCommand.Execute

    ' Enumerate the recordset.
    Do Until adoRecordset.EOF
    ' Retrieve attribute values.
    strDN = adoRecordset.Fields("distinguishedName").Value
    lngDate = adoRecordset.Fields("accountExpires")
    ' Convert accountExpires to date in current time zone.
    Set objDate = lngDate
    dtmAcctExp = Integer8Date(objDate, lngBias)
    ' Output to console.
    Wscript.Echo strDN & ";" & dtmAcctExp
    adoRecordset.MoveNext
    Loop
    adoRecordset.Close

    ' Clean up.
    adoConnection.Close

    Function Integer8Date(ByVal objDate, ByVal lngBias)
    ' Function to convert Integer8 (64-bit) value to a date, adjusted for
    ' local time zone bias.
    Dim lngAdjust, lngDate, lngHigh, lngLow
    lngAdjust = lngBias
    lngHigh = objDate.HighPart
    lngLow = objdate.LowPart
    ' Account for bug in IADslargeInteger property methods.
    If (lngLow < 0) Then
    lngHigh = lngHigh + 1
    End If
    If (lngHigh = 0) And (lngLow = 0) Then
    lngAdjust = 0
    End If
    lngDate = #1/1/1601# + (((lngHigh * (2 ^ 32)) _
    + lngLow) / 600000000 - lngAdjust) / 1440
    Integer8Date = CDate(lngDate)
    End Function

    --
    Richard Mueller
    Microsoft MVP Scripting and ADSI
    Hilltop Lab - http://www.rlmueller.net
    --



Similar Threads

  1. active directory user properties new tab
    By hatred in forum Active Directory
    Replies: 1
    Last Post: 26-03-2008, 11:15 PM
  2. Replies: 4
    Last Post: 02-11-2007, 12:35 AM
  3. Replies: 5
    Last Post: 13-06-2007, 07:23 AM
  4. Bulk rename of user accounts in Active Directory
    By Nickason in forum Active Directory
    Replies: 1
    Last Post: 06-03-2005, 11:19 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •