Script to find accounts with the password never expires checked

[Luke]

Does anyone know of a Script that will search AD Users
and Computers for accounts that have the password never
expires checked and accounts that have users cannot
change password checked?

 

[Cary Shultz [A.D. MVP]]

Luke,

I do not know of a script that will take care of this but I use ldifde to do
this. Simply look for the "userAccountControl: 66048". Here is what you
would do!

At a DC open up a command prompt and enter the following:

c:\>ldifde -f uAC66048.ldf -s servername.yourdomain.com -t 389 -d
"DC=yourdomain,DC=com" -p subtree -r "(objectClass=user)" -l
"DN,userAccountControl"

This would all be one entry. You do not really need to enter either the -s
servername.yourdomain.com or the -t 389 switches. I like to enter them to
keep things straight. The important part is the -l ( that is the dash "-"
and a lower-case letter L ) as this controls what the output will contain.
The -f uAC66048.ldf is the file that will be created.

Not sure what you would do for the 'user can not change password'.

HTH,

Cary

 

[Cary Shultz [A.D. MVP]]

Luke,

A small addendum:

Just realized that I have been leaving off a small part of the ldifde
command. It should be as follows:

c:\>ldifde -f uAC66048.ldf -s servername.yourdomain.com -t 389 -d
"DC=yourdomain,DC=com" -p subtree -r
"(&(objectClass=user)(objectCategory=person))" -l "DN,userAccountControl"

This will filter only for user accounts. The previous command that I gave
you would have filtered both user account and computer accounts.

Anyway, take a look at the following link:
http://www.unav.es/cti/ldap-smb/AD-gluser.html

It includes some of the values that you will need.

For example, a 'normal' user account ( userAccountControl: 512 ) has the
value UF_NORMAL_ACCOUNT.

A user account with the "Password Never Expires" checkbox checked (
userAccountControl: 66048 ) has two values: UF_NORMAL_ACCOUNT and
UF_DONT_EXPIRE_PASSWORD.

A user account with the "User can not change password" checkbox checked (
userAccountControl: 512 ) has two values as well: UF_NORMAL_ACCOUNT and
UF_PASSWORD_CANT_CHANGE.

HTH,

Cary

 

[Matjaz Ladava [MVP]]

This script does this. Sae it as .vbs and run it on your domain

Set objConnection = CreateObject("ADODB.Connection")
objConnection.Open "Provider=ADsDSOObject;"
Set objCommand = CreateObject("ADODB.Command")
objCommand.ActiveConnection = objConnection
Set objDSE = GetObject("LDAP://rootDSE")
objCommand.CommandText = "<LDAP://" & objDSE.Get("defaultNamingContext") & _
">;(&(&(ObjectCategory=Person)(objectClass=User)(userAccountControl:1.2.840.113556.1.4.803:=65536)))"& _ ";distinguishedname;subtree"Set objRecordSet = objCommand.ExecuteWhile Not objRecordset.EOF WScript.Echo objRecordset.Fields("distinguishedname") objRecordset.MoveNextWendobjConnection.Close--RegardsMatjaz Ladava, MCSA, MCSE, MCT, MVPMicrosoft MVP Windows Server - Active (e-mail address removed), (e-mail address removed)"Luke" <[email protected]> wrote in messageDoes anyone know of a Script that will search AD Users> and Computers for accounts that have the password never> expires checked and accounts that have users cannot> change password checked?

 

[Luke]

Thanks for the help--But Im having a little bit of
trouble with the last line it keeps erroring out on this
line--I coppied what you have and saved it as .vbs but it
errors out--any ideas?

Thanks

-----Original Message-----
This script does this. Sae it as .vbs and run it on your domain

Set objConnection = CreateObject("ADODB.Connection")
objConnection.Open "Provider=ADsDSOObject;"
Set objCommand = CreateObject("ADODB.Command")
objCommand.ActiveConnection = objConnection
Set objDSE = GetObject("LDAP://rootDSE")
objCommand.CommandText = "<LDAP://" & objDSE.Get ("defaultNamingContext") & _
">;(&(&(ObjectCategory=Person)(objectClass=User)

(userAccountControl:1.2.840.113556.1.4.803:=65536)))"&
_ ";distinguishedname;subtree"Set objRecordSet =
objCommand.ExecuteWhile Not objRecordset.EOF
WScript.Echo objRecordset.Fields("distinguishedname")
objRecordset.MoveNextWendobjConnection.Close--
RegardsMatjaz Ladava, MCSA, MCSE, MCT, MVPMicrosoft MVP
Windows Server - Active (e-mail address removed),
(e-mail address removed)"Luke"
messageDoes anyone know of a Script that will search AD Users>
and Computers for accounts that have the password never>
expires checked and accounts that have users cannot>
change password checked?

 

[Matjaz Ladava [MVP]]

send me the script you created (vbs) to my email address (zip it first) and
I'll check it out.

--

Regards

Matjaz Ladava, MCSA, MCSE, MCT, MVP
Microsoft MVP Windows Server - Active Directory
(e-mail address removed), (e-mail address removed)

 

[Paul Bergson [MVP-DS]]

You are in the wrong location to find out how to do work that is
destructive.

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

"juggalo_hacker" <[email protected]>
wrote in message

;1312852']send me the script you created (vbs) to my email address (zip
it first) and
I'll check it out.

--

Regards

Matjaz Ladava, MCSA, MCSE, MCT, MVP
Microsoft MVP Windows Server - Active Directory
(e-mail address removed), (e-mail address removed)




hey
im a noob if u must....im like 14 year old and i know alot i think
about computers but i want to know how to use scripts and torrents to
find passwords for me . or if thats not possible how do i find out ppls
passwords......please im just a kid that wants to learn about this and
so i can become better at "hacking" and "cracking" and i just think that
it is fun to mess around with computers