When Active Directory detects that a user's password has expired, it sets the user's userAccountControl attribute by ORing it with 0x800000.
Using DSQUERY from the Active Directory command-line tools, I have scripted PWDExpUAC.bat to return the user name and distinguished name of the accounts that have the 0x800000 bit set in the userAccountControl attribute.
PWDExpUAC.bat has no parameters. The output is displayed on the console, but you can process it in your script by using:
for /f "Tokens=1*" %%u in ('PWDExpUAC') do ( set samid=%%u set userDN=%%v call :DoSomething )PWDExpUAC.bat contains:
@echo off setlocal set qry=dsquery * domainroot -filter "(&(objectCategory=Person)(objectClass=User))" -attr userAccountControl sAMAccountName distinguishedName -limit 0 for /f "Skip=1 Tokens=1,2*" %%a in ('%qry%') do ( call :testit %%b "%%c" %%a ) endlocal goto :EOF :testit if "%3" EQU 0 goto :EOF set user=%1 set dn=%2 set /a uac=%3 :GEQ if %uac% GEQ 16777216 set /a uac=%uac% - 16777216&goto GEQ if %uac% LSS 8388608 goto :EOF set dn=%dn: =% set dn=%dn: "="% @echo %user% %dn%NOTE: To retrieve any user's exact password expiration date and time, you can:
for /f "Tokens=1-3*" %%a in ('net user %The_User_Name% /domain^|find "Password"^|find "expires"') do ( set dt=%%c set tm=%%d )NOTE: If the dt environemt variable is Never, tm is null.
0 comments
Hide comments