JSI Tip 7547. How do I list accounts in my domain that have NOT changed their password in nnn days?

Using DSQUERY and DSGET, I have scripted StalePwd.bat to display the Distinguished Name (DN) of all domain user accounts that have NOT changed their password in a specified number of days. The StalePwd.bat script does NOT report accounts that are disabled, or those whose password is set to never expire.

The syntax for using StalePwd.bat is:

StalePwd Days

where Days is a number in the range of 0 through 999.

The output is displayed on the CMD console, but you can pipe it to a file using the following syntax:

StalePwd Days >FileName

You can use the output in subsequent commands, as in:

for /f "Tokens=*" %%i in ('StalePwd Days') do SomeCommand %%i

NOTE: See How can I report all inactive user accounts, and optionally disable them?

NOTE: See How do I list accounts in my domain whose password is set to never expire?

StalePwd.bat contains:

@echo offif {%1}=={} @echo syntax: StalePwd Days &goto :EOFsetlocalset /a days=1000%1%%1000if exist "%TEMP%StalePwd.tm1" del /q "%TEMP%StalePwd.tm1"if exist "%TEMP%StalePwd.tm2" del /q "%TEMP%StalePwd.tm2"set getit=dsquery user domainroot -name * -stalepwd %days% -limit 0for /f "Tokens=*" %%u in ('%getit%') do set UDN=%%u&call :staleif not exist "%TEMP%StalePwd.tm1" endlocal&goto :EOFsort "%TEMP%StalePwd.tm1" /O "%TEMP%StalePwd.tm2"type "%TEMP%StalePwd.tm2"del /q "%TEMP%StalePwd.tm1"del /q "%TEMP%StalePwd.tm2"endlocalgoto :EOF:stalefor /f "Skip=1 Tokens=1-2" %%i in ('dsget user %UDN% -pwdneverexpires -disabled') do ( if /i "%%i" NEQ "dsget" call :report %%i %%j)goto :EOF:reportif /i "%1" EQU "yes" goto :EOFif /i "%2" EQU "yes" goto :EOF@echo %UDN%>>"%TEMP%StalePwd.tm1"