Announcement

Collapse
No announcement yet.

Viewing Expired Active Directory Accounts

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Viewing Expired Active Directory Accounts

    Does anyone know a way to script a way to view accounts that have expried in active directory? Not disabled accounts, but expired accounts. I always thought that when you set an account for expiration, that it would expire it, but I guess it doesn't.

    I wrote a simple script to view disbled accounts, but for some reason it does not show expired AD accounts.

    dsquery user -disabled >view.txt
    start view.txt
    exit


    If anyone know how to perform this in GUI, that will be an acceptable answer as well.
    MCITP:SA, MCSA 2003, MCP, CCNA, A+, Net+, Security+

  • #2
    Re: Viewing Expired Active Directory Accounts

    The LDAP filter is:
    (&(objectCategory=person)(objectClass=user) (!accountExpires=9223372036854775807) (!accountExpires=0))
    (http://www.rlmueller.net/AccountExpires.htm)

    Use a tool that can run LDAP queries, like:

    In ADU&C
    right click "Saved Queries" -> New Query
    Name: Expired userAccounts
    Query Root: <domain> or <specific OU name> ?
    [Yes] Include subcontainers

    click "Define Query...
    Find: Custom Search
    Tab 'Advanced'
    paste this LDAP query:
    Code:
    (&(objectCategory=person)(objectClass=user)(!accountExpires=9223372036854775807)(!accountExpires=0))
    OK
    OK

    Or a command line tool like DSQUERY :
    Code:
     
    dsquery * -limit 0 -Filter "(&(objectCategory=person)(objectClass=user)(!accountExpires=9223372036854775807)(!accountExpires=0))" >"c:\ExpiredUsers.txt"
    Or ADFind

    Or, you can write a vbscipt: http://forums.petri.com/showthread.php?t=18676


    \Rems

    This posting is provided "AS IS" with no warranties, and confers no rights.

    __________________

    ** Remember to give credit where credit's due **
    and leave Reputation Points for meaningful posts

    Comment


    • #3
      Re: Viewing Expired Active Directory Accounts

      Beautiful! I wrote a script using dsquery and it worked like a champ.

      Thanks for your help.
      MCITP:SA, MCSA 2003, MCP, CCNA, A+, Net+, Security+

      Comment

      Working...
      X