JSI Tip 8543. How can I determine if Active Directory has detected that a user's password has expired?

When Active Directory detects that a user's password has expired, it sets the user's userAccountControl attribute by ORing it with 0x800000.

Using DSQUERY from the Active Directory command-line tools, I have scripted PWDExpUAC.bat to return the user name and distinguished name of the accounts that have the 0x800000 bit set in the userAccountControl attribute.

PWDExpUAC.bat has no parameters. The output is displayed on the console, but you can process it in your script by using:

for /f "Tokens=1*" %%u in ('PWDExpUAC') do (
 set samid=%%u
 set userDN=%%v
 call :DoSomething
PWDExpUAC.bat contains:
@echo off
set qry=dsquery * domainroot -filter "(&(objectCategory=Person)(objectClass=User))" -attr userAccountControl sAMAccountName distinguishedName -limit 0
for /f "Skip=1 Tokens=1,2*" %%a in ('%qry%') do (
 call :testit %%b "%%c" %%a
goto :EOF
if "%3" EQU 0 goto :EOF
set user=%1
set dn=%2
set /a uac=%3
if %uac% GEQ 16777216 set /a uac=%uac% - 16777216&goto GEQ
if %uac% LSS 8388608 goto :EOF
set dn=%dn:  =%
set dn=%dn: "="%
@echo %user% %dn%
NOTE: To retrieve any user's exact password expiration date and time, you can:
for /f "Tokens=1-3*" %%a in ('net user %The_User_Name% /domain^|find "Password"^|find "expires"') do (
 set dt=%%c
 set tm=%%d
NOTE: If the dt environemt variable is Never, tm is null.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.