re:"Anyone who has TAMs... Start screaming now..." Done from here.
-DaveC -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, July 11, 2006 5:42 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Account Password Expiration Tool A comprehensive list of attributes and values doesn't exist; I have thought about setting up a dynamic webpage backending into a MySQL DB on my website for a long time but just haven't done it. However for userAccountControl you can look at this enumeration: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adsi/ad si/a ds_user_flag_enum.asp If you go up one level from that you will find several enumerations for some of the attributes. Keep in mind that there are some flags that actually are valid for ADSI in general but not for LDAP, for instance, ADS_UF_LOCKOUT works for the WinNT provider but not the LDAP provider. Again, no comprehensive docs exist for that, it is all one offs that people run into. Actually that is pretty pathetic in my opinion but hey, at least we get some info. Now for your other specific questions... All user accounts that must change password at next logon, that is handled by a combination of the pwdLastSet attribute and the domain policy for password aging which is in the maxPwdAge attribute and the current time/detae and the userAccountControl. If the account is set to not expire, it won't ever force a password change, if that isn't set then there is a combination of the password age and the maxpwdage and the current time. The easiest way to deal with this is findexpacc. If you just want all accounts that have never set a password or have been forced to change password at next logon that is a little easier, you look for pwdLastSet=0. All computers running Win2K pro would be handled by looking at the operatingsystem attribute. I don't recall the actual string for Windows 2000 Professional but I expect that is the string, Windows Server 2003 is Windows Server 2003, Windows XP Pro is Windows XP Professional. MSFT, again, in their infinite wisdom currently has Vista set as Windows Vista (copyright symbol) Ultimate. The copyright symbol is completely moronic in there as it blows out people trying to look for the machines with command line tools with really efficient queries. They have no choice but to wildcard the strings. I bugged it, it was rejected, Eric jumped into the fray and got it going again but just the same it seems we may end up losing and it getting out into the OEM launch. Anyone who has TAMs... Start screaming now, that is going to be a pain if it gets out there. I refuse to figure out a way around it and will just say that MSFT was stupid and didn't listen when I pitched it as a bug back in Beta 1. For excldn, it probably didn't work due to misunderstanding or mistake, my code is perfect. ;o) No seriously, if you have spaces in strings that are passed as command line parameters, you need to use quotes. Special characters need to be escaped, this isn't an issue with oldcmp, it is the command line interpretor interpreting things in the way you type them instead of how you intend them and passing that to my tools. Also if you pass multiple DNs the proper delimiter needs to be supplied (by default I think it is ; but would have to look to be sure) or else adfind doesn't know what you mean. I am also not good at divining intent versus what was typed. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex Alborzfard Sent: Tuesday, July 11, 2006 5:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Account Password Expiration Tool Pardon my ignorance, but I have one more question: where do I get a list of all of user or computer object attributes and values as it was used in "(useraccountcontrol:AND:=65536)"? For instance if I want to enumerate all the user accounts with User Must Change Password at Next Logon" or computers that are running WIN2K PRO. Also I noticed the OU exclusion switch (-excldn) did not work in the case of multiple OUs. Is it perhaps because they had space in their names? TIA Alex -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, July 11, 2006 3:48 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Account Password Expiration Tool This should do it oldcmp -report -users -bit -af "(useraccountcontrol:AND:=65536)" -sh If you want a listing of all accounts with that set you would add -age 0 You could also use adfind to get the info. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex Alborzfard Sent: Tuesday, July 11, 2006 2:34 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Account Password Expiration Tool Do you know of any tools out there that would check for and list AD accounts whose "Password Never Expires" is checked and/or how old is a user's password; e.g. it would generate a report listing all accounts with password older than 90 days? The closest thing I can find is JoeWare's (bowing my head!) "FindExpAcc" tool with -pwd switch, but it only lists accounts with expired passwords. TIA Alex Alborzfard Systems Administrator List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx To find out more about Reuters visit www.about.reuters.com Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
