Recently, I was requested to give an auditor a list of all users with “non-expiring” passwords in Active Directory. After doing a little digging on the internet, I compiled this based on some stuff I found, and made my own additions.
This will create a file, called: NeverExpires.txt – See line: 6 if you want to change it. Now for the instructions:
- Copy/Paste the below into a document labeled: NeverExpires.vbs
- Change the DOMAINCHANGEME and TLDCHANGEME to your domain and TLD. Examples:
- crimm.com would become: LDAP://dc=crimm,dc=com
- crimm.local would become: LDAP://dc=crimm,dc=local
- crimmMoga.local would become: LDAP://dc=crimmMoga,dc=local
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 | ' Copyright Crimm
Dim FileSystem, oFile
' Open Text File for Output
Set FileSystem = WScript.CreateObject("Scripting.FileSystemObject")
Set oFile = FileSystem.CreateTextFile("NeverExpires.txt", True)
oFile.writeLine "This script will show who has accounts with non-expiring password set"
' Run Active Directory Script
On Error Resume Next
Set objConnection = CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection
objCommand.Properties("Page Size") = 1000
objCommand.CommandText = _
"<LDAP://dc=DOMAINCHANGEME,dc=TLDCHANGEME>;" & _
"(&(objectCategory=User)(userAccountControl:1.2.840.113556.1.4.803:=65536));" & _
"Name;Subtree"
Set objRecordSet = objCommand.Execute
objRecordSet.MoveFirst
Do Until objRecordSet.EOF
oFile.writeLine objRecordSet.Fields("Name").Value
objRecordSet.MoveNext
Loop |
I hope this helps someone out there!
