JSI Tip 7547. How do I list accounts in my domain that have NOT changed their password in nnn days?

Using DSQUERY and DSGET, I have scripted StalePwd.bat to display the Distinguished Name (DN) of all domain user accounts that have NOT changed their password in a specified number of days. The StalePwd.bat script does NOT report accounts that are disabled, or those whose password is set to never expire.

The syntax for using StalePwd.bat is:

StalePwd Days

where Days is a number in the range of 0 through 999.

The output is displayed on the CMD console, but you can pipe it to a file using the following syntax:

StalePwd Days >FileName

You can use the output in subsequent commands, as in:

for /f "Tokens=*" %%i in ('StalePwd Days') do SomeCommand %%i

NOTE: See How can I report all inactive user accounts, and optionally disable them?

NOTE: See How do I list accounts in my domain whose password is set to never expire?

StalePwd.bat contains:

@echo off
if \{%1\}==\{\} @echo syntax: StalePwd Days &goto :EOF
setlocal
set /a days=1000%1%%1000
if exist "%TEMP%\StalePwd.tm1" del /q "%TEMP%\StalePwd.tm1"
if exist "%TEMP%\StalePwd.tm2" del /q "%TEMP%\StalePwd.tm2"
set getit=dsquery user domainroot -name * -stalepwd %days% -limit 0
for /f "Tokens=*" %%u in ('%getit%') do set UDN=%%u&call :stale
if not exist "%TEMP%\StalePwd.tm1" endlocal&goto :EOF
sort "%TEMP%\StalePwd.tm1" /O "%TEMP%\StalePwd.tm2"
type "%TEMP%\StalePwd.tm2"
del /q "%TEMP%\StalePwd.tm1"
del /q "%TEMP%\StalePwd.tm2"
endlocal
goto :EOF
:stale
for /f "Skip=1 Tokens=1-2" %%i in ('dsget user %UDN% -pwdneverexpires -disabled') do (
 if /i "%%i" NEQ "dsget" call :report %%i %%j
)
goto :EOF
:report
if /i "%1" EQU "yes" goto :EOF
if /i "%2" EQU "yes" goto :EOF
@echo %UDN%>>"%TEMP%\StalePwd.tm1"



Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish