Thanks Tim, and thanks again to all of you who replied. Ken
On Fri, Jun 12, 2009 at 4:52 AM, Tim Mugherini <[email protected]> wrote: > I like the idea of powershell (havn't had much time to play with it). > > Anyways this vbs is tested against my envrionment. Three pop-ups. Age of > password. Current Password Age Policy. And Expire Date. You can tweak it the > way you see fit. > > Just edit the LDAP query and Set objDomainNT with appropiate user, OU, and > domain name. > > Const SEC_IN_DAY = 86400 > Const ADS_UF_DONT_EXPIRE_PASSWD = &h10000 > > Set objUserLDAP = GetObject _ > ("LDAP://CN=user,OU=ou,DC=domain,DC=com") > intCurrentValue = objUserLDAP.Get("userAccountControl") > > If intCurrentValue and ADS_UF_DONT_EXPIRE_PASSWD Then > wscript.echo "The password does not expire." > Else > dtmValue = objUserLDAP.PasswordLastChanged > Wscript.echo "The password was last changed on " & _ > DateValue(dtmValue) & " at " & TimeValue(dtmValue) & VbCrLf & _ > "The difference between when the password was last set" & VbCrLf & _ > "and today is " & int(now - dtmValue) & " days" > intTimeInterval = int(now - dtmValue) > > Set objDomainNT = GetObject("WinNT://domain") > intMaxPwdAge = objDomainNT.Get("MaxPasswordAge") > If intMaxPwdAge < 0 Then > WScript.Echo "The Maximum Password Age is set to 0 in the " & _ > "domain. Therefore, the password does not expire." > Else > intMaxPwdAge = (intMaxPwdAge/SEC_IN_DAY) > Wscript.echo "The maximum password age is " & intMaxPwdAge & " days" > If intTimeInterval >= intMaxPwdAge Then > Wscript.echo "The password has expired." > Else > Wscript.echo "The password will expire on " & _ > DateValue(dtmValue + intMaxPwdAge) & " (" & _ > int((dtmValue + intMaxPwdAge) - now) & " days from today" & ")." > End If > End If > End If > > > On Fri, Jun 12, 2009 at 1:24 AM, Jody & Jennifer McCluggage < > [email protected]> wrote: > >> You should be able to get at this using ADSI (Active Directory Services >> Interfaces). You can probably script this with PowerShell using either ADSI >> or the free Quest Active Directory snap-in. I think something roughly like >> this may get at it: >> >> >> >> [adsi]”WinNT://ComputerName”.psbase.children | where >> {$_.pbase.schemaclassname –eq “user”} | foreach { >> >> $_.name ; $_.AccountExpirationDate.value } >> >> >> >> This should return the password expiration date for all user objects (this >> is just a rough guess and has not been tested to see if it works). I will >> play with this a bit when I am back in the office. >> >> >> >> Jody >> >> >> ------------------------------ >> >> *From:* [email protected] [mailto: >> [email protected]] *On Behalf Of *Brian Gray >> *Sent:* Thursday, June 11, 2009 4:39 PM >> *To:* PaulDotCom Security Weekly Mailing List >> *Subject:* Re: [Pauldotcom] WMIC help >> >> >> >> I realize it's not wmic but wouldn't it be just as simple to use something >> like >> >> >> >> net user username /dom | find "Password expires" >> >> Maybe you need wmic for a specific reason I don't know... I believe as >> long as you are logging in as a user within that domain it should pull the >> information without issue. I can think of a dozen other ways depending on >> what the end result you are looking for is. >> >> >> >> On Thu, Jun 11, 2009 at 12:46 PM, Raffi Jamgotchian < >> [email protected]> wrote: >> >> i've used VBscript to do it. If you're interested, Ill dig it out. it >> was run against the domain controller if I remember correctly. >> >> >> On Jun 11, 2009, at 12:42 PM, Michael Douglas wrote: >> >> > Bah. This doesn't work... you have to enter the actual user's >> > password. >> > >> > Sorry for the bum advice! >> > - Mick >> > >> > >> > >> > On Wed, Jun 10, 2009 at 8:55 PM, Michael >> > Douglas<[email protected]> wrote: >> >> If you're an admin, you should be able to force the wmic check to >> >> happen in the scope of another user. >> >> >> >> wmic /user:"domain\user" netlogin get passwordexpires >> >> (note you'll likely need to keep the quotes in the line above. wmic >> >> is >> >> very picky about global flag values.) >> >> >> >> I believe this will work... But I'm not VPNed into my lab at work >> >> right now to test and see. Please let us know if this works as you >> >> wanted it to. >> >> >> >> My answers might be wrong, but they're FAST! ;-) >> >> - Mick >> >> >> >> On Wed, Jun 10, 2009 at 4:29 PM, Kennith Asher<[email protected]> >> >> wrote: >> >>> Hey all you WMIC gurus out there. I'm trying to find a >> >>> straightforward >> >>> means of identifying when a domain user's password will expire. >> >>> Is there a >> >>> modifier or switch I can set to bring back password expiry for >> >>> another >> >>> domain user? >> >>> >> >>> I know I can use: >> >>> >> >>> Wmic netlogin get passwordexpires >> >>> >> >>> to find when my password expires, can this be done for another >> >>> domain user? >> >>> Assume I have admin privileges. >> >>> >> >>> Oh, and just so that we're clear here, this is for the domain we >> >>> use at >> >>> work, I am doing this on behalf of a user I support. >> >>> >> >>> Thanks, >> >>> >> >>> Ken >> >>> >> >>> _______________________________________________ >> >>> Pauldotcom mailing list >> >>> [email protected] >> >>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> >>> Main Web Site: http://pauldotcom.com >> >>> >> >> >> > _______________________________________________ >> > Pauldotcom mailing list >> > [email protected] >> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> > Main Web Site: http://pauldotcom.com >> >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com >> >> >> >> >> -- >> -Brian W. Gray >> >> No virus found in this incoming message. >> Checked by AVG - www.avg.com >> Version: 8.5.364 / Virus Database: 270.12.64/2170 - Release Date: 06/11/09 >> 17:59:00 >> >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com >> > > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com >
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
