You should be able to get at this using ADSI (Active Directory Services
Interfaces). You can probably script this with PowerShell using either ADSI
or the free Quest Active Directory snap-in. I think something roughly like
this may get at it:
[adsi]"WinNT://ComputerName".psbase.children | where
{$_.pbase.schemaclassname -eq "user"} | foreach {
$_.name ; $_.AccountExpirationDate.value }
This should return the password expiration date for all user objects (this
is just a rough guess and has not been tested to see if it works). I will
play with this a bit when I am back in the office.
Jody
_____
From: [email protected]
[mailto:[email protected]] On Behalf Of Brian Gray
Sent: Thursday, June 11, 2009 4:39 PM
To: PaulDotCom Security Weekly Mailing List
Subject: Re: [Pauldotcom] WMIC help
I realize it's not wmic but wouldn't it be just as simple to use something
like
net user username /dom | find "Password expires"
Maybe you need wmic for a specific reason I don't know... I believe as long
as you are logging in as a user within that domain it should pull the
information without issue. I can think of a dozen other ways depending on
what the end result you are looking for is.
On Thu, Jun 11, 2009 at 12:46 PM, Raffi Jamgotchian
<[email protected]> wrote:
i've used VBscript to do it. If you're interested, Ill dig it out. it
was run against the domain controller if I remember correctly.
On Jun 11, 2009, at 12:42 PM, Michael Douglas wrote:
> Bah. This doesn't work... you have to enter the actual user's
> password.
>
> Sorry for the bum advice!
> - Mick
>
>
>
> On Wed, Jun 10, 2009 at 8:55 PM, Michael
> Douglas<[email protected]> wrote:
>> If you're an admin, you should be able to force the wmic check to
>> happen in the scope of another user.
>>
>> wmic /user:"domain\user" netlogin get passwordexpires
>> (note you'll likely need to keep the quotes in the line above. wmic
>> is
>> very picky about global flag values.)
>>
>> I believe this will work... But I'm not VPNed into my lab at work
>> right now to test and see. Please let us know if this works as you
>> wanted it to.
>>
>> My answers might be wrong, but they're FAST! ;-)
>> - Mick
>>
>> On Wed, Jun 10, 2009 at 4:29 PM, Kennith Asher<[email protected]>
>> wrote:
>>> Hey all you WMIC gurus out there. I'm trying to find a
>>> straightforward
>>> means of identifying when a domain user's password will expire.
>>> Is there a
>>> modifier or switch I can set to bring back password expiry for
>>> another
>>> domain user?
>>>
>>> I know I can use:
>>>
>>> Wmic netlogin get passwordexpires
>>>
>>> to find when my password expires, can this be done for another
>>> domain user?
>>> Assume I have admin privileges.
>>>
>>> Oh, and just so that we're clear here, this is for the domain we
>>> use at
>>> work, I am doing this on behalf of a user I support.
>>>
>>> Thanks,
>>>
>>> Ken
>>>
>>> _______________________________________________
>>> Pauldotcom mailing list
>>> [email protected]
>>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
>>> Main Web Site: http://pauldotcom.com <http://pauldotcom.com/>
>>>
>>
> _______________________________________________
> Pauldotcom mailing list
> [email protected]
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com <http://pauldotcom.com/>
_______________________________________________
Pauldotcom mailing list
[email protected]
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com <http://pauldotcom.com/>
--
-Brian W. Gray
No virus found in this incoming message.
Checked by AVG - www.avg.com
Version: 8.5.364 / Virus Database: 270.12.64/2170 - Release Date: 06/11/09
17:59:00
_______________________________________________
Pauldotcom mailing list
[email protected]
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
