|
|
Hi,
I need to get a list of user accounts that have expiry dates set and have
expired.
I have tried customising this vb script, obtained from the MS Technet site,
no error generated but also no output:
___________________________________________________________________
On Error Resume Next
Set objUser = GetObject _
("LDAP://cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com")
dtmAccountExpiration = objUser.AccountExpirationDate
If Err.Number = -2147467259 Or dtmAccountExpiration = "1/1/1970" Then
WScript.Echo "No account expiration date specified"
Else
WScript.Echo "Account expiration date: " & objUser.AccountExpirationDate
End If
___________________________________________________________________
Does anyone have a script that works ?
Does anyone know if there is a LDAP string that can be put into an ADUC
Query to list expired user accounts ?
Our A/D servers are running Win2000 SP4
We are using ADUC version 5.2.3790.0
Any help/advice much appreciated.
Tom Small
Middlesex University
London UK.
|
|
Hi,
dsquery * "ou=Management,dc=NA,dc=fabrikam,dc=com" -filter "
(&(objectCategory=Person)(objectClass=User)(!accountExpires=0)(!accountExpires=9223372036854775807))" -attr sAMAccountname displayName
please try the above command which check accountExpires in LDAP.
pls note word wrapping.
if the output is the one you want, you can set output to a file.
-----
accountExpires
The date when the account expires. This value represents the number of 100
nanosecond intervals since January 1, 1601 (UTC). A value of 0 or
0x7FFFFFFFFFFFFFFF (9223372036854775807) indicates that the account never
expires.
-----
regards,
neothwin
"Tom_Small" wrote:
[Quoted Text] > Hi,
>
> I need to get a list of user accounts that have expiry dates set and have
> expired.
>
> I have tried customising this vb script, obtained from the MS Technet site,
> no error generated but also no output:
>
> ___________________________________________________________________
>
> On Error Resume Next
>
> Set objUser = GetObject _
> ("LDAP://cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com")
>
> dtmAccountExpiration = objUser.AccountExpirationDate
>
> If Err.Number = -2147467259 Or dtmAccountExpiration = "1/1/1970" Then
> WScript.Echo "No account expiration date specified"
> Else
> WScript.Echo "Account expiration date: " & objUser.AccountExpirationDate
> End If
> ___________________________________________________________________
>
>
> Does anyone have a script that works ?
> Does anyone know if there is a LDAP string that can be put into an ADUC
> Query to list expired user accounts ?
>
> Our A/D servers are running Win2000 SP4
> We are using ADUC version 5.2.3790.0
>
> Any help/advice much appreciated.
>
> Tom Small
> Middlesex University
> London UK.
|
|
Hi Neothwin,
Thanks for your help. I ran the dsquery, just substituting my own OU and DC,
and a full list of accounts that contain an expiry date was produced. After
further searching and experimentation, I found that it is possible to
actually only list accounts that have expired on or before a certain date.
128120832000000000 equates to 31-December-2006.
I added the string "(accountExpires<=128120832000000000)" into the query,
and all accounts that expired on or before 31-December-2006 were listed. I
also added "distinguishedName -limit 1000" which allows 1000 items to be
listed and also lists the container name, which I am sure others may find
useful. Therefore the dsquery I ended up using was:
dsquery * "ou=Management,dc=NA,dc=fabrikam,dc=com" -filter "
(&(objectCategory=Person)(objectClass=User)(!accountExpires=0)(!accountExpires=9223372036854775807)(accountExpires<=128120832000000000))"
-attr sAMAccountname displayName distinguishedName -limit 1000
The same principles worked in an ADUC Advanced Ldap query. The string I used
was:
(&(&(objectCategory=Person)(objectClass=User)(!accountExpires=0)(!accountExpires=9223372036854775807)(accountExpires<=128120832000000000)))
An advantage of using ADUC is that you can choose which columns to view on
an ad hoc basis.
Once again, a sincere "Thank You"
Tom Small
Middlesex University
London UK.
"neothwin" wrote:
[Quoted Text] > Hi,
>
> dsquery * "ou=Management,dc=NA,dc=fabrikam,dc=com" -filter "
> (&(objectCategory=Person)(objectClass=User)(!accountExpires=0)(!accountExpires=9223372036854775807))" -attr sAMAccountname displayName
>
> please try the above command which check accountExpires in LDAP.
> pls note word wrapping.
> if the output is the one you want, you can set output to a file.
> -----
> accountExpires
>
> The date when the account expires. This value represents the number of 100
> nanosecond intervals since January 1, 1601 (UTC). A value of 0 or
> 0x7FFFFFFFFFFFFFFF (9223372036854775807) indicates that the account never
> expires.
> -----
> regards,
> neothwin
>
> "Tom_Small" wrote:
>
> > Hi,
> >
> > I need to get a list of user accounts that have expiry dates set and have
> > expired.
> >
> > I have tried customising this vb script, obtained from the MS Technet site,
> > no error generated but also no output:
> >
> > ___________________________________________________________________
> >
> > On Error Resume Next
> >
> > Set objUser = GetObject _
> > ("LDAP://cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com")
> >
> > dtmAccountExpiration = objUser.AccountExpirationDate
> >
> > If Err.Number = -2147467259 Or dtmAccountExpiration = "1/1/1970" Then
> > WScript.Echo "No account expiration date specified"
> > Else
> > WScript.Echo "Account expiration date: " & objUser.AccountExpirationDate
> > End If
> > ___________________________________________________________________
> >
> >
> > Does anyone have a script that works ?
> > Does anyone know if there is a LDAP string that can be put into an ADUC
> > Query to list expired user accounts ?
> >
> > Our A/D servers are running Win2000 SP4
> > We are using ADUC version 5.2.3790.0
> >
> > Any help/advice much appreciated.
> >
> > Tom Small
> > Middlesex University
> > London UK.
|
|
As noted, a query for all users with accounts that expire would be:
"(&(objectCategory=person)(objectClass=user)" _
& "(!accountExpires=9223372036854775807)(!accountExpires=0))"
The accountExpires attribute is Integer8, a 64-bit number representing the
number of 100-nanosecond intervals since 12:00 AM Jan. 1, 1601. Code is
required to convert the value to a readable date. A query for all users
whose accounts have expired before May 17, 2007 (in my time zone) would be:
"(&(objectCategory=person)(objectClass=user)" _
& "(accountExpires<=128238516000000000)(!accountExpires=0))"
For details and odd facts about accountExpires and the AccountExpirationDate
property method, see this link:
http://www.rlmueller.net/AccountExpires.htm
For a VBScript program to convert a date/time value to the corresponding
Integer8 (64-bit) value (adjusted for your time zone), see this link:
http://www.rlmueller.net/Programs/DateToInteger8.txt
--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--
"neothwin" <neothwin[ at ]discussions.microsoft.com> wrote in message
news:A92B406C-C9C9-4AC5-B623-3D0BA1776BA8[ at ]microsoft.com...
[Quoted Text] > Hi,
>
> dsquery * "ou=Management,dc=NA,dc=fabrikam,dc=com" -filter "
> (&(objectCategory=Person)(objectClass=User)(!accountExpires=0)(!accountExpires=9223372036854775807))"
> -attr sAMAccountname displayName
>
> please try the above command which check accountExpires in LDAP.
> pls note word wrapping.
> if the output is the one you want, you can set output to a file.
> -----
> accountExpires
>
> The date when the account expires. This value represents the number of 100
> nanosecond intervals since January 1, 1601 (UTC). A value of 0 or
> 0x7FFFFFFFFFFFFFFF (9223372036854775807) indicates that the account never
> expires.
> -----
> regards,
> neothwin
>
> "Tom_Small" wrote:
>
>> Hi,
>>
>> I need to get a list of user accounts that have expiry dates set and have
>> expired.
>>
>> I have tried customising this vb script, obtained from the MS Technet
>> site,
>> no error generated but also no output:
>>
>> ___________________________________________________________________
>>
>> On Error Resume Next
>>
>> Set objUser = GetObject _
>> ("LDAP://cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com")
>>
>> dtmAccountExpiration = objUser.AccountExpirationDate
>>
>> If Err.Number = -2147467259 Or dtmAccountExpiration = "1/1/1970" Then
>> WScript.Echo "No account expiration date specified"
>> Else
>> WScript.Echo "Account expiration date: " &
>> objUser.AccountExpirationDate
>> End If
>> ___________________________________________________________________
>>
>>
>> Does anyone have a script that works ?
>> Does anyone know if there is a LDAP string that can be put into an ADUC
>> Query to list expired user accounts ?
>>
>> Our A/D servers are running Win2000 SP4
>> We are using ADUC version 5.2.3790.0
>>
>> Any help/advice much appreciated.
>>
>> Tom Small
>> Middlesex University
>> London UK.
|
|
An example VBScript program to output all users with an expiration date is
below. The program outputs the user Distinguished Name and when the account
expires. This can be modified to output for all users, or only for users
whose accounts have already expired. You could also substitute
sAMAccountName for distinguishedName if desired. The output can be
redirected to a text file. The program should be run at a command prompt
with the cscript host.
======================
Option Explicit
Dim adoConnection, adoCommand
Dim objRootDSE, strDNSDomain, strFilter, strQuery, adoRecordset
Dim strDN, objShell, lngBiasKey, lngBias
Dim lngDate, objDate, dtmAcctExp, k
' Obtain local time zone bias from machine registry.
Set objShell = CreateObject("Wscript.Shell")
lngBiasKey = objShell.RegRead("HKLM\System\CurrentControlSet\Control\" _
& "TimeZoneInformation\ActiveTimeBias")
If (UCase(TypeName(lngBiasKey)) = "LONG") Then
lngBias = lngBiasKey
ElseIf (UCase(TypeName(lngBiasKey)) = "VARIANT()") Then
lngBias = 0
For k = 0 To UBound(lngBiasKey)
lngBias = lngBias + (lngBiasKey(k) * 256^k)
Next
End If
' Use ADO to search the domain.
Set adoConnection = CreateObject("ADODB.Connection")
Set adoCommand = CreateObject("ADODB.Command")
adoConnection.Provider = "ADsDSOOBject"
adoConnection.Open "Active Directory Provider"
Set adoCommand.ActiveConnection = adoConnection
' Determine the DNS domain from the RootDSE object.
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("DefaultNamingContext")
' Filter to retrieve all user objects with accounts
' that expire.
strFilter = "(&(objectCategory=person)(objectClass=user)" _
& "(!accountExpires=0)(!accountExpires=9223372036854775807))"
strQuery = "<LDAP://" & strDNSDomain & ">;" & strFilter _
& ";distinguishedName,accountExpires;subtree"
' Run the query.
adoCommand.CommandText = strQuery
adoCommand.Properties("Page Size") = 100
adoCommand.Properties("Timeout") = 30
adoCommand.Properties("Cache Results") = False
Set adoRecordset = adoCommand.Execute
' Enumerate the recordset.
Do Until adoRecordset.EOF
' Retrieve attribute values.
strDN = adoRecordset.Fields("distinguishedName").Value
lngDate = adoRecordset.Fields("accountExpires")
' Convert accountExpires to date in current time zone.
Set objDate = lngDate
dtmAcctExp = Integer8Date(objDate, lngBias)
' Output to console.
Wscript.Echo strDN & ";" & dtmAcctExp
adoRecordset.MoveNext
Loop
adoRecordset.Close
' Clean up.
adoConnection.Close
Function Integer8Date(ByVal objDate, ByVal lngBias)
' Function to convert Integer8 (64-bit) value to a date, adjusted for
' local time zone bias.
Dim lngAdjust, lngDate, lngHigh, lngLow
lngAdjust = lngBias
lngHigh = objDate.HighPart
lngLow = objdate.LowPart
' Account for bug in IADslargeInteger property methods.
If (lngLow < 0) Then
lngHigh = lngHigh + 1
End If
If (lngHigh = 0) And (lngLow = 0) Then
lngAdjust = 0
End If
lngDate = #1/1/1601# + (((lngHigh * (2 ^ 32)) _
+ lngLow) / 600000000 - lngAdjust) / 1440
Integer8Date = CDate(lngDate)
End Function
--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--
|
|
|