Skip navigation

JSI Tip 7549. How do I list accounts in my domain whose password is set to never expire?

Using DSQUERY and DSGET, I have scripted PwdNeverExpires.bat to display the Distinguished Name (DN) of all domain user accounts whose password is set to never expire. The PwdNeverExpires.bat script does NOT report accounts that are disabled.

The syntax for using PwdNeverExpires.bat is:

PwdNeverExpires

The output is displayed on the CMD console, but you can pipe it to a file using the following syntax:

PwdNeverExpires>FileName

You can use the output in subsequent commands, as in:

for /f "Tokens=*" %%i in ('PwdNeverExpires') do SomeCommand %%i

NOTE: See How do I list accounts in my domain that have NOT changed their password in nnn days?

NOTE: See How can I report all inactive user accounts, and optionally disable them?

PwdNeverExpires.bat contains:

@echo off
setlocal
if exist "%TEMP%\PwdNeverExpires.tm1" del /q "%TEMP%\PwdNeverExpires.tm1"
if exist "%TEMP%\PwdNeverExpires.tm2" del /q "%TEMP%\PwdNeverExpires.tm2"
set getit=dsquery user domainroot -name * -limit 0
for /f "Tokens=*" %%u in ('%getit%') do set UDN=%%u&call :pwdne
if not exist "%TEMP%\PwdNeverExpires.tm1" endlocal&goto :EOF
sort "%TEMP%\PwdNeverExpires.tm1" /O "%TEMP%\PwdNeverExpires.tm2"
type "%TEMP%\PwdNeverExpires.tm2"
del /q "%TEMP%\PwdNeverExpires.tm1"
del /q "%TEMP%\PwdNeverExpires.tm2"
endlocal
goto :EOF
:pwdne
for /f "Skip=1 Tokens=1-2" %%i in ('dsget user %UDN% -pwdneverexpires -disabled') do (
 if /i "%%i" NEQ "dsget" call :report %%i %%j
)
goto :EOF
:report
if /i "%1" NEQ "yes" goto :EOF
if /i "%2" EQU "yes" goto :EOF
@echo %UDN%>>"%TEMP%\PwdNeverExpires.tm1"



Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish