Announcement

Collapse
No announcement yet.

Script to list password expiration of AD Global Security Group Members

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Script to list password expiration of AD Global Security Group Members

    Hi All, I'm kinda new to scripting and need a few pointers on help on developing a script that allows me to generate a simple text file (comma separated would be great), that includes:

    - username
    - first name
    - last name
    - email
    - last password set date
    - password expiration date
    - time left for password to expire (based on a 90 day expiration date domain policy)

    All scripts I've found do this for the entire domain or an OU I need this for just a group.

    Any help you can provide will be highly appreciated.

  • #2
    Re: Script to list password expiration of AD Global Security Group Members

    First off, list members of the group; dsget group groupDN -members.

    Next step would be getting user data with dsget user.

    -vP

    Comment


    • #3
      Re: Script to list password expiration of AD Global Security Group Members

      hey

      i wrote that very quick (need to catch a train)
      the passoword result script i copyed from here:
      http://msdn.microsoft.com/en-us/library/ms974598.aspx

      change line 1 for the log file path and line 2 for the group name
      nothing else to edit

      good luck.

      Code:
      strLog = "c:\log.txt"
      strGroup = "support"
      Set objRootDSE = GetObject("ldap://RootDSE")
      sDomain = "LDAP://" & objRootDSE.Get("defaultNamingContext")
      Set objfso = CreateObject("scripting.filesystemobject")
      Set objlog = objfso.CreateTextFile(strLog, True)
      Set oCn = CreateObject("ADODB.Connection")
      Set oCmd = CreateObject("ADODB.Command")
      oCn.Provider = "ADsDSOObject"
      oCn.Open "Active Directory Provider"
      Set oCmd.ActiveConnection = oCn
      oCmd.Properties("Page Size") = 1000
      oCmd.Properties("Searchscope") = 2 
      Set objGroup = GetObject _
      ( "LDAP://" & SearchAD(strGroup) )
      objGroup.GetInfo
       
      arrMemberOf = objGroup.GetEx("member")
       
      For Each strMember In arrMemberOf
       FindAttr(strMember)
       passwordattr(strMember)
       objlog.WriteLine "****************************"
      Next
       
       
      Sub passwordattr(strMember)
       On Error Resume Next
       
       Const ADS_UF_DONT_EXPIRE_PASSWD = & h10000
       Const E_ADS_PROPERTY_NOT_FOUND = & h8000500D
       Const ONE_HUNDRED_NANOSECOND = . 000000100
       Const SECONDS_IN_DAY = 86400
                  
       Set objUser = GetObject("LDAP://" & strMember)   
       
       intUserAccountControl = objUser.Get("userAccountControl")
       If intUserAccountControl And ADS_UF_DONT_EXPIRE_PASSWD Then
        objlog.writeline "The password does not expire."
        WScript.Quit
       Else
        dtmValue = objUser.PasswordLastChanged
        If Err.Number = E_ADS_PROPERTY_NOT_FOUND Then
         objlog.writeline "The password has never been set."
         Exit Sub
        Else
         intTimeInterval = Int(Now - dtmValue)
         objlog.writeline "The password was last set on " & _
         DateValue(dtmValue) & " at " & TimeValue(dtmValue)  
        End If
        
        Set objDomain = GetObject("LDAP://" & objADSystemInfo.DomainDNSName)
        Set objMaxPwdAge = objDomain.Get("maxPwdAge")
        
        If objMaxPwdAge.LowPart = 0 Then
         objlog.writeline "The Maximum Password Age is set to 0 in the " & _
         "domain. Therefore, the password does not expire."
         Exit Sub
        Else
         dblMaxPwdNano = _
         Abs(objMaxPwdAge.HighPart * 2 ^ 32 + objMaxPwdAge.LowPart)
         dblMaxPwdSecs = dblMaxPwdNano * ONE_HUNDRED_NANOSECOND
         dblMaxPwdDays = Int(dblMaxPwdSecs / SECONDS_IN_DAY)
         objlog.writeline "Maximum password age is " & dblMaxPwdDays & " days"
         
         If intTimeInterval >= dblMaxPwdDays Then
          objlog.writeline "The password has expired."
         Else
          objlog.writeline "The password will expire on " & _
          DateValue(dtmValue + dblMaxPwdDays) & " (" & _
          Int((dtmValue + dblMaxPwdDays) - Now) & " days from today)."
         End If
        End If
       End If
      End Sub
       
      
      Sub FindAttr(strMember)
       selectedProperties = "givenName,mail,sn,userPrincipalName"
       propertynames = Split(selectedProperties, ",")
       oCmd.CommandText = "SELECT " & selectedProperties & " FROM 'LDAP://" & strMember & "' WHERE objectCategory='user' ORDER BY Name"
       Set oRS = oCmd.Execute
       Do Until oRS.EOF
        For i = 0 To UBound(propertynames)
         objlog.writeline propertyNames(i) & ": " & oRS.Fields(propertyNames(i)).Value
        Next
        oRS.MoveNext
       Loop
      End Sub
       
      Function SearchAD(strGroupName)
       oCmd.CommandText = "SELECT distinguishedname FROM '" & sDomain & "' WHERE objectCategory='group' and name='" & strGroupName & "' ORDER BY Name"
       Set oRS = oCmd.Execute
       Do Until oRS.EOF
        SearchAD = oRS.Fields("distinguishedname").Value
        oRS.MoveNext
       Loop
      End Function
      Any advice is given in good faith and without warranty.
      Please give reputation points where appropriate.

      Comment

      Working...
      X