I like the idea of powershell (havn't had much time to play with it).
Anyways this vbs is tested against my envrionment. Three pop-ups. Age of
password. Current Password Age Policy. And Expire Date. You can tweak it the
way you see fit.
Just edit the LDAP query and Set objDomainNT with appropiate user, OU, and
domain name.
Const SEC_IN_DAY = 86400
Const ADS_UF_DONT_EXPIRE_PASSWD = &h10000
Set objUserLDAP = GetObject _
("LDAP://CN=user,OU=ou,DC=domain,DC=com")
intCurrentValue = objUserLDAP.Get("userAccountControl")
If intCurrentValue and ADS_UF_DONT_EXPIRE_PASSWD Then
wscript.echo "The password does not expire."
Else
dtmValue = objUserLDAP.PasswordLastChanged
Wscript.echo "The password was last changed on " & _
DateValue(dtmValue) & " at " & TimeValue(dtmValue) & VbCrLf & _
"The difference between when the password was last set" & VbCrLf & _
"and today is " & int(now - dtmValue) & " days"
intTimeInterval = int(now - dtmValue)
Set objDomainNT = GetObject("WinNT://domain")
intMaxPwdAge = objDomainNT.Get("MaxPasswordAge")
If intMaxPwdAge < 0 Then
WScript.Echo "The Maximum Password Age is set to 0 in the " & _
"domain. Therefore, the password does not expire."
Else
intMaxPwdAge = (intMaxPwdAge/SEC_IN_DAY)
Wscript.echo "The maximum password age is " & intMaxPwdAge & " days"
If intTimeInterval >= intMaxPwdAge Then
Wscript.echo "The password has expired."
Else
Wscript.echo "The password will expire on " & _
DateValue(dtmValue + intMaxPwdAge) & " (" & _
int((dtmValue + intMaxPwdAge) - now) & " days from today" & ")."
End If
End If
End If
On Fri, Jun 12, 2009 at 1:24 AM, Jody & Jennifer McCluggage <
[email protected]> wrote:
> You should be able to get at this using ADSI (Active Directory Services
> Interfaces). You can probably script this with PowerShell using either ADSI
> or the free Quest Active Directory snap-in. I think something roughly like
> this may get at it:
>
>
>
> [adsi]”WinNT://ComputerName”.psbase.children | where
> {$_.pbase.schemaclassname –eq “user”} | foreach {
>
> $_.name ; $_.AccountExpirationDate.value }
>
>
>
> This should return the password expiration date for all user objects (this
> is just a rough guess and has not been tested to see if it works). I will
> play with this a bit when I am back in the office.
>
>
>
> Jody
>
>
> ------------------------------
>
> *From:* [email protected] [mailto:
> [email protected]] *On Behalf Of *Brian Gray
> *Sent:* Thursday, June 11, 2009 4:39 PM
> *To:* PaulDotCom Security Weekly Mailing List
> *Subject:* Re: [Pauldotcom] WMIC help
>
>
>
> I realize it's not wmic but wouldn't it be just as simple to use something
> like
>
>
>
> net user username /dom | find "Password expires"
>
> Maybe you need wmic for a specific reason I don't know... I believe as long
> as you are logging in as a user within that domain it should pull the
> information without issue. I can think of a dozen other ways depending on
> what the end result you are looking for is.
>
>
>
> On Thu, Jun 11, 2009 at 12:46 PM, Raffi Jamgotchian <
> [email protected]> wrote:
>
> i've used VBscript to do it. If you're interested, Ill dig it out. it
> was run against the domain controller if I remember correctly.
>
>
> On Jun 11, 2009, at 12:42 PM, Michael Douglas wrote:
>
> > Bah. This doesn't work... you have to enter the actual user's
> > password.
> >
> > Sorry for the bum advice!
> > - Mick
> >
> >
> >
> > On Wed, Jun 10, 2009 at 8:55 PM, Michael
> > Douglas<[email protected]> wrote:
> >> If you're an admin, you should be able to force the wmic check to
> >> happen in the scope of another user.
> >>
> >> wmic /user:"domain\user" netlogin get passwordexpires
> >> (note you'll likely need to keep the quotes in the line above. wmic
> >> is
> >> very picky about global flag values.)
> >>
> >> I believe this will work... But I'm not VPNed into my lab at work
> >> right now to test and see. Please let us know if this works as you
> >> wanted it to.
> >>
> >> My answers might be wrong, but they're FAST! ;-)
> >> - Mick
> >>
> >> On Wed, Jun 10, 2009 at 4:29 PM, Kennith Asher<[email protected]>
> >> wrote:
> >>> Hey all you WMIC gurus out there. I'm trying to find a
> >>> straightforward
> >>> means of identifying when a domain user's password will expire.
> >>> Is there a
> >>> modifier or switch I can set to bring back password expiry for
> >>> another
> >>> domain user?
> >>>
> >>> I know I can use:
> >>>
> >>> Wmic netlogin get passwordexpires
> >>>
> >>> to find when my password expires, can this be done for another
> >>> domain user?
> >>> Assume I have admin privileges.
> >>>
> >>> Oh, and just so that we're clear here, this is for the domain we
> >>> use at
> >>> work, I am doing this on behalf of a user I support.
> >>>
> >>> Thanks,
> >>>
> >>> Ken
> >>>
> >>> _______________________________________________
> >>> Pauldotcom mailing list
> >>> [email protected]
> >>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> >>> Main Web Site: http://pauldotcom.com
> >>>
> >>
> > _______________________________________________
> > Pauldotcom mailing list
> > [email protected]
> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > Main Web Site: http://pauldotcom.com
>
> _______________________________________________
> Pauldotcom mailing list
> [email protected]
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
>
>
>
>
> --
> -Brian W. Gray
>
> No virus found in this incoming message.
> Checked by AVG - www.avg.com
> Version: 8.5.364 / Virus Database: 270.12.64/2170 - Release Date: 06/11/09
> 17:59:00
>
> _______________________________________________
> Pauldotcom mailing list
> [email protected]
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
>
_______________________________________________
Pauldotcom mailing list
[email protected]
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
