I have a Windows domain, where I need to find users with option to never expire password enabled - as a part of an audit and for contacting them. I have no rights to install any fancy Powershell parts or nothing else on the servers. I suspect adsisearcher through Powershell could probably do the trick.I also need the contact info, like email address (there are multiple addresses for many users, not sure whether that changes anything). As well there are many not real user accounts, which could unnecessarily inflate my list of users to contact.
Asked
Active
Viewed 487 times
-1
-
1What have you already tried? – Ryan Bolger May 06 '16 at 21:29
-
What is your actual question? – Pierre.Vriens May 07 '16 at 05:50
1 Answers
1
The userAccountControl bit for controlling "Password never expires" is 0x10000 (65536 in decimal).
The following LDAP filter will return all users with the option set:
(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536))
With an adsisearcher that would become something like:
$Searcher = [adsisearcher]'(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536))'
$PwdNeverExpireUsers = $Searcher.FindAll()
Mathias R. Jessen
- 24,907
- 4
- 62
- 95