Go Back   TechArena Community > Technical Support > Computer Help > Windows Server > Windows Server Help
Become a Member!
Forgot your username/password?
Register Tags Active Topics RSS Search Mark Forums Read

Sponsored Links



How to get a listing of expired Active Directory user accounts ?

Windows Server Help


Reply
 
Thread Tools Search this Thread
  #1  
Old 17-05-2007
Tom_Small
 
Posts: n/a
How to get a listing of expired Active Directory user accounts ?

Hi,

I need to get a list of user accounts that have expiry dates set and have
expired.

I have tried customising this vb script, obtained from the MS Technet site,
no error generated but also no output:

___________________________________________________________________

On Error Resume Next

Set objUser = GetObject _
("LDAP://cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com")

dtmAccountExpiration = objUser.AccountExpirationDate

If Err.Number = -2147467259 Or dtmAccountExpiration = "1/1/1970" Then
WScript.Echo "No account expiration date specified"
Else
WScript.Echo "Account expiration date: " & objUser.AccountExpirationDate
End If
___________________________________________________________________


Does anyone have a script that works ?
Does anyone know if there is a LDAP string that can be put into an ADUC
Query to list expired user accounts ?

Our A/D servers are running Win2000 SP4
We are using ADUC version 5.2.3790.0

Any help/advice much appreciated.

Tom Small
Middlesex University
London UK.

Reply With Quote
  #2  
Old 17-05-2007
neothwin
 
Posts: n/a
RE: How to get a listing of expired Active Directory user accounts ?

Hi,

dsquery * "ou=Management,dc=NA,dc=fabrikam,dc=com" -filter "
(&(objectCategory=Person)(objectClass=User)(!accountExpires=0)(!accountExpires=9223372036854775807)) " -attr sAMAccountname displayName

please try the above command which check accountExpires in LDAP.
pls note word wrapping.
if the output is the one you want, you can set output to a file.
-----
accountExpires

The date when the account expires. This value represents the number of 100
nanosecond intervals since January 1, 1601 (UTC). A value of 0 or
0x7FFFFFFFFFFFFFFF (9223372036854775807) indicates that the account never
expires.
-----
regards,
neothwin

"Tom_Small" wrote:

> Hi,
>
> I need to get a list of user accounts that have expiry dates set and have
> expired.
>
> I have tried customising this vb script, obtained from the MS Technet site,
> no error generated but also no output:
>
> ___________________________________________________________________
>
> On Error Resume Next
>
> Set objUser = GetObject _
> ("LDAP://cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com")
>
> dtmAccountExpiration = objUser.AccountExpirationDate
>
> If Err.Number = -2147467259 Or dtmAccountExpiration = "1/1/1970" Then
> WScript.Echo "No account expiration date specified"
> Else
> WScript.Echo "Account expiration date: " & objUser.AccountExpirationDate
> End If
> ___________________________________________________________________
>
>
> Does anyone have a script that works ?
> Does anyone know if there is a LDAP string that can be put into an ADUC
> Query to list expired user accounts ?
>
> Our A/D servers are running Win2000 SP4
> We are using ADUC version 5.2.3790.0
>
> Any help/advice much appreciated.
>
> Tom Small
> Middlesex University
> London UK.

Reply With Quote
  #3  
Old 17-05-2007
Tom_Small
 
Posts: n/a
RE: How to get a listing of expired Active Directory user accounts

Hi Neothwin,

Thanks for your help. I ran the dsquery, just substituting my own OU and DC,
and a full list of accounts that contain an expiry date was produced. After
further searching and experimentation, I found that it is possible to
actually only list accounts that have expired on or before a certain date.
128120832000000000 equates to 31-December-2006.
I added the string "(accountExpires<=128120832000000000)" into the query,
and all accounts that expired on or before 31-December-2006 were listed. I
also added "distinguishedName -limit 1000" which allows 1000 items to be
listed and also lists the container name, which I am sure others may find
useful. Therefore the dsquery I ended up using was:

dsquery * "ou=Management,dc=NA,dc=fabrikam,dc=com" -filter "
(&(objectCategory=Person)(objectClass=User)(!accountExpires=0)(!accountExpires=9223372036854775807)( accountExpires<=128120832000000000))"
-attr sAMAccountname displayName distinguishedName -limit 1000


The same principles worked in an ADUC Advanced Ldap query. The string I used
was:

(&(&(objectCategory=Person)(objectClass=User)(!accountExpires=0)(!accountExpires=9223372036854775807 )(accountExpires<=128120832000000000)))

An advantage of using ADUC is that you can choose which columns to view on
an ad hoc basis.

Once again, a sincere "Thank You"

Tom Small
Middlesex University
London UK.


"neothwin" wrote:

> Hi,
>
> dsquery * "ou=Management,dc=NA,dc=fabrikam,dc=com" -filter "
> (&(objectCategory=Person)(objectClass=User)(!accountExpires=0)(!accountExpires=9223372036854775807)) " -attr sAMAccountname displayName
>
> please try the above command which check accountExpires in LDAP.
> pls note word wrapping.
> if the output is the one you want, you can set output to a file.
> -----
> accountExpires
>
> The date when the account expires. This value represents the number of 100
> nanosecond intervals since January 1, 1601 (UTC). A value of 0 or
> 0x7FFFFFFFFFFFFFFF (9223372036854775807) indicates that the account never
> expires.
> -----
> regards,
> neothwin
>
> "Tom_Small" wrote:
>
> > Hi,
> >
> > I need to get a list of user accounts that have expiry dates set and have
> > expired.
> >
> > I have tried customising this vb script, obtained from the MS Technet site,
> > no error generated but also no output:
> >
> > ___________________________________________________________________
> >
> > On Error Resume Next
> >
> > Set objUser = GetObject _
> > ("LDAP://cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com")
> >
> > dtmAccountExpiration = objUser.AccountExpirationDate
> >
> > If Err.Number = -2147467259 Or dtmAccountExpiration = "1/1/1970" Then
> > WScript.Echo "No account expiration date specified"
> > Else
> > WScript.Echo "Account expiration date: " & objUser.AccountExpirationDate
> > End If
> > ___________________________________________________________________
> >
> >
> > Does anyone have a script that works ?
> > Does anyone know if there is a LDAP string that can be put into an ADUC
> > Query to list expired user accounts ?
> >
> > Our A/D servers are running Win2000 SP4
> > We are using ADUC version 5.2.3790.0
> >
> > Any help/advice much appreciated.
> >
> > Tom Small
> > Middlesex University
> > London UK.

Reply With Quote
  #4  
Old 17-05-2007
Richard Mueller [MVP]
 
Posts: n/a
Re: How to get a listing of expired Active Directory user accounts ?

As noted, a query for all users with accounts that expire would be:

"(&(objectCategory=person)(objectClass=user)" _

& "(!accountExpires=9223372036854775807)(!accountExpires=0))"



The accountExpires attribute is Integer8, a 64-bit number representing the
number of 100-nanosecond intervals since 12:00 AM Jan. 1, 1601. Code is
required to convert the value to a readable date. A query for all users
whose accounts have expired before May 17, 2007 (in my time zone) would be:



"(&(objectCategory=person)(objectClass=user)" _

& "(accountExpires<=128238516000000000)(!accountExpires=0))"



For details and odd facts about accountExpires and the AccountExpirationDate
property method, see this link:



http://www.rlmueller.net/AccountExpires.htm



For a VBScript program to convert a date/time value to the corresponding
Integer8 (64-bit) value (adjusted for your time zone), see this link:



http://www.rlmueller.net/Programs/DateToInteger8.txt


--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--



"neothwin" <neothwin@discussions.microsoft.com> wrote in message
news:A92B406C-C9C9-4AC5-B623-3D0BA1776BA8@microsoft.com...
> Hi,
>
> dsquery * "ou=Management,dc=NA,dc=fabrikam,dc=com" -filter "
> (&(objectCategory=Person)(objectClass=User)(!accountExpires=0)(!accountExpires=9223372036854775807)) "
> -attr sAMAccountname displayName
>
> please try the above command which check accountExpires in LDAP.
> pls note word wrapping.
> if the output is the one you want, you can set output to a file.
> -----
> accountExpires
>
> The date when the account expires. This value represents the number of 100
> nanosecond intervals since January 1, 1601 (UTC). A value of 0 or
> 0x7FFFFFFFFFFFFFFF (9223372036854775807) indicates that the account never
> expires.
> -----
> regards,
> neothwin
>
> "Tom_Small" wrote:
>
>> Hi,
>>
>> I need to get a list of user accounts that have expiry dates set and have
>> expired.
>>
>> I have tried customising this vb script, obtained from the MS Technet
>> site,
>> no error generated but also no output:
>>
>> ___________________________________________________________________
>>
>> On Error Resume Next
>>
>> Set objUser = GetObject _
>> ("LDAP://cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com")
>>
>> dtmAccountExpiration = objUser.AccountExpirationDate
>>
>> If Err.Number = -2147467259 Or dtmAccountExpiration = "1/1/1970" Then
>> WScript.Echo "No account expiration date specified"
>> Else
>> WScript.Echo "Account expiration date: " &
>> objUser.AccountExpirationDate
>> End If
>> ___________________________________________________________________
>>
>>
>> Does anyone have a script that works ?
>> Does anyone know if there is a LDAP string that can be put into an ADUC
>> Query to list expired user accounts ?
>>
>> Our A/D servers are running Win2000 SP4
>> We are using ADUC version 5.2.3790.0
>>
>> Any help/advice much appreciated.
>>
>> Tom Small
>> Middlesex University
>> London UK.



Reply With Quote
  #5  
Old 17-05-2007
Richard Mueller [MVP]
 
Posts: n/a
Re: How to get a listing of expired Active Directory user accounts ?

An example VBScript program to output all users with an expiration date is
below. The program outputs the user Distinguished Name and when the account
expires. This can be modified to output for all users, or only for users
whose accounts have already expired. You could also substitute
sAMAccountName for distinguishedName if desired. The output can be
redirected to a text file. The program should be run at a command prompt
with the cscript host.
======================
Option Explicit

Dim adoConnection, adoCommand
Dim objRootDSE, strDNSDomain, strFilter, strQuery, adoRecordset
Dim strDN, objShell, lngBiasKey, lngBias
Dim lngDate, objDate, dtmAcctExp, k

' Obtain local time zone bias from machine registry.
Set objShell = CreateObject("Wscript.Shell")
lngBiasKey = objShell.RegRead("HKLM\System\CurrentControlSet\Control\" _
& "TimeZoneInformation\ActiveTimeBias")
If (UCase(TypeName(lngBiasKey)) = "LONG") Then
lngBias = lngBiasKey
ElseIf (UCase(TypeName(lngBiasKey)) = "VARIANT()") Then
lngBias = 0
For k = 0 To UBound(lngBiasKey)
lngBias = lngBias + (lngBiasKey(k) * 256^k)
Next
End If

' Use ADO to search the domain.
Set adoConnection = CreateObject("ADODB.Connection")
Set adoCommand = CreateObject("ADODB.Command")
adoConnection.Provider = "ADsDSOOBject"
adoConnection.Open "Active Directory Provider"
Set adoCommand.ActiveConnection = adoConnection

' Determine the DNS domain from the RootDSE object.
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("DefaultNamingContext")

' Filter to retrieve all user objects with accounts
' that expire.
strFilter = "(&(objectCategory=person)(objectClass=user)" _
& "(!accountExpires=0)(!accountExpires=9223372036854775807))"

strQuery = "<LDAP://" & strDNSDomain & ">;" & strFilter _
& ";distinguishedName,accountExpires;subtree"

' Run the query.
adoCommand.CommandText = strQuery
adoCommand.Properties("Page Size") = 100
adoCommand.Properties("Timeout") = 30
adoCommand.Properties("Cache Results") = False
Set adoRecordset = adoCommand.Execute

' Enumerate the recordset.
Do Until adoRecordset.EOF
' Retrieve attribute values.
strDN = adoRecordset.Fields("distinguishedName").Value
lngDate = adoRecordset.Fields("accountExpires")
' Convert accountExpires to date in current time zone.
Set objDate = lngDate
dtmAcctExp = Integer8Date(objDate, lngBias)
' Output to console.
Wscript.Echo strDN & ";" & dtmAcctExp
adoRecordset.MoveNext
Loop
adoRecordset.Close

' Clean up.
adoConnection.Close

Function Integer8Date(ByVal objDate, ByVal lngBias)
' Function to convert Integer8 (64-bit) value to a date, adjusted for
' local time zone bias.
Dim lngAdjust, lngDate, lngHigh, lngLow
lngAdjust = lngBias
lngHigh = objDate.HighPart
lngLow = objdate.LowPart
' Account for bug in IADslargeInteger property methods.
If (lngLow < 0) Then
lngHigh = lngHigh + 1
End If
If (lngHigh = 0) And (lngLow = 0) Then
lngAdjust = 0
End If
lngDate = #1/1/1601# + (((lngHigh * (2 ^ 32)) _
+ lngLow) / 600000000 - lngAdjust) / 1440
Integer8Date = CDate(lngDate)
End Function

--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--


Reply With Quote
Reply

  TechArena Community > Technical Support > Computer Help > Windows Server > Windows Server Help
Tags: , , , ,



Thread Tools Search this Thread
Search this Thread:

Advanced Search


Similar Threads for: "How to get a listing of expired Active Directory user accounts ?"
Thread Thread Starter Forum Replies Last Post
active directory user properties new tab hatred Active Directory 1 26-03-2008 11:15 PM
Delegate Control in Active Directory to allow group to unlock user accounts Nino_1 Active Directory 4 02-11-2007 12:35 AM
Getting the properties of a DirectoryEntry (local user) in c# whenthe user is a domain account? Active Directory Michael Howes Active Directory 5 13-06-2007 07:23 AM
Bulk rename of user accounts in Active Directory Nickason Active Directory 1 06-03-2005 11:19 PM


All times are GMT +5.5. The time now is 03:32 PM.