JSI Tip 8485. How can I calculate a user's approximate password expiration date?


A user's password expiration date is NOT an attribute of a user's profile. The password expiration date is calculated by adding the domain's maxPwdAge attribute to the user's pwdLastSet attribute.

In various scripts on this site, I returned a user's password expiration date by letting the net user command calculate it, as in:

for /f "Tokens=3" %%b in ('net user %user% /domain^|findstr /i /c:"Password expires"') do (
 set expires=%%b
)
NOTE: The expires environment variable contains information like 10/11/2004 04:58.

If your script is using Active Directory command-line tools, it is wasteful to re-retrieve the user information by running the net user command.

I have scripted PwdExpires.bat to calculate the approximate password expiration date, without the time component.

The syntax for using PwdExpires.bat is:

call PwdExpires pwdLastSet Expires maxPwdAge

Where:

pwdLastSet is the value of the user's pwdLastSet attribute.
Expires    is a call directed environment variable that will contain the password expiration MM/DD/YYYY.
maxPwdAge  is a call directed environment variable that will contain the domain's maxPwdAge, truncated to whole days.
NOTE: You should bypass accounts where the password never expires, and accounts that are disabled.

PwdExpires.bat uses the following scripts, which must be located in a folder that is in your PATH:

PassPolicy.bat and PassPolicy.vbs
CvtFileTime.bat
JSIDateM.bat
Date2JD.bat
JD2Date.bat

PwdExpires.bat contains:

@echo off
if \{%3\}==\{\} @echo Syntax: call PwdExpires pwdLastSet Expires maxPwdAge
setlocal
set pwdLastSet=%1
call set work=%%%3%%
if \{%work%\} EQU \{\} call PassPolicy p1 p2 p3 p4 work p6 p7 p8
for /f "Tokens=1,2 Delims=." %%a in ('@echo %work%') do (
 set /a maxPwdAge=10000%%a%%10000
)
call CvtFileTime %pwdLastSet% dt
if "%dt%" EQU "Never" endlocal&set %2=%dt%&set %3=%maxPwdAge%&goto :EOF
for /f "Tokens=1-3 Delims=/ " %%a in ('@echo %dt%') do (
 set mm=%%a
 set dd=%%b
 set yy=%%c
)
call JSIDateM %yy% %mm% %dd% + %maxPwdAge%
set dt=%AMM%/%ADD%/%NYY%
endlocal&set %2=%dt%&set %3=%maxPwdAge%



Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish