Using DSQUERY and DSGET, I have scripted PwdNeverExpires.bat to display the Distinguished Name (DN) of all domain user accounts whose password is set to never expire. The PwdNeverExpires.bat script does NOT report accounts that are disabled.
The syntax for using PwdNeverExpires.bat is:
PwdNeverExpires
The output is displayed on the CMD console, but you can pipe it to a file using the following syntax:
PwdNeverExpires>FileName
You can use the output in subsequent commands, as in:
for /f "Tokens=*" %%i in ('PwdNeverExpires') do SomeCommand %%i
NOTE: See How do I list accounts in my domain that have NOT changed their password in nnn days?
NOTE: See How can I report all inactive user accounts, and optionally disable them?
PwdNeverExpires.bat contains:
@echo off setlocal if exist "%TEMP%\PwdNeverExpires.tm1" del /q "%TEMP%\PwdNeverExpires.tm1" if exist "%TEMP%\PwdNeverExpires.tm2" del /q "%TEMP%\PwdNeverExpires.tm2" set getit=dsquery user domainroot -name * -limit 0 for /f "Tokens=*" %%u in ('%getit%') do set UDN=%%u&call :pwdne if not exist "%TEMP%\PwdNeverExpires.tm1" endlocal&goto :EOF sort "%TEMP%\PwdNeverExpires.tm1" /O "%TEMP%\PwdNeverExpires.tm2" type "%TEMP%\PwdNeverExpires.tm2" del /q "%TEMP%\PwdNeverExpires.tm1" del /q "%TEMP%\PwdNeverExpires.tm2" endlocal goto :EOF :pwdne for /f "Skip=1 Tokens=1-2" %%i in ('dsget user %UDN% -pwdneverexpires -disabled') do ( if /i "%%i" NEQ "dsget" call :report %%i %%j ) goto :EOF :report if /i "%1" NEQ "yes" goto :EOF if /i "%2" EQU "yes" goto :EOF @echo %UDN%>>"%TEMP%\PwdNeverExpires.tm1"