Tuesday, May 12, 2009

VBScript to Find Users with Password Set to Never Expire

The script below will search the current directory or one specified by the user and search for all of the accounts that have the attribute "Password Never Expires" set to true. The results are placed in a CSV file in the directory that the script is run from.

Set WshShell = WScript.CreateObject("WScript.Shell")
strVer = "Ver 1.0 "
Set FileSystem = WScript.CreateObject("Scripting.FileSystemObject")
Set oFile = FileSystem.CreateTextFile("PWDNeverExpires.csv", true)

strDomain = WshShell.ExpandEnvironmentStrings("%USERDOMAIN%")
strUserName = WshShell.ExpandEnvironmentStrings("%USERNAME%")
strOS = WshShell.ExpandEnvironmentStrings("%OS%")

strMessage = strMessage & "Hit Cancel to quit"
strTitle = "Domain to Search"

'Get Domain Name
UserDomain = InputBox(strMessage, strTitle, strDomain)
strMessage = ""
strTitle = ""

strMessage = "This may take a few minutes. . ."
WshShell.Popup strMessage,2,"One moment please. . . "
strMessage = ""

Set objDomain = GetObject("WinNT://" & UserDomain)
objDomain.Filter = Array("User")

For Each objUser In objDomain

  'Attempt to bind to the user
  Set UserName = GetObject("WinNT://"& UserDomain &"/"& objUser.Name &",User")

  'Check password attribute
  objPwdExpires = UserName.Get("UserFlags")
  If (objPwdExpires And &H10000) <> 0 Then
    objPwdExpiresTrue = "Yes"
    strPwdExpires = "Date Set: "
    msgPwdExpires = "Password Set to Never Expire: "
  Else objPwdExpiresTrue = "No"
    strPwdExpires = "Password Expires: "
    msgPwdExpires = "Password Set to Never Expire: "
  End If

  oFile.WriteLine (UserName.fullname & "," & UserName.name & "," & msgPwdExpires &  objPwdExpiresTrue & "," & strPwdExpires & objUser.PasswordExpirationDate)

  Set UserName = Nothing
Wscript.Echo "Password Check Complete"


Jamie said...

Very nice script.

Worked perfect!

dsmith007 said...

Thanks very much, it works for me as well. Good job.

Jasen said...

This did not work for me. It fails on objUser.PasswordExpirationDate. I looked in the attribute editor for user objects and do not see the PasswordExpirationDate attribute.

Clark Leary said...

Is there a way to specify a specific OU to search instead of the entire directory? I have a lost of service accounts and email accounts that are set to not expire but I would just like to search my OU that has user accounts only.

Clark Leary said...

Is there a way to specify a specific OU to search rather then the entire directory to eliminate service accounts etc..?

Brian Bohanon said...

Unless there is a very specific reason you need to use VBScript, I would recommend PowerShell for this. Below is something to get you started. You'll need to import the ActiveDirectory module.

import-module activedirectory
Search-ADAccount -accountexpiring -timespan 7.00:00:00 -searchbase 'ou=serviceaccounts,dc=domain,dc=com'

This will return all accounts expiring in the next 7 days, located in the serviceaccounts OU.

You can get more detailed information about this from TechNet: https://technet.microsoft.com/en-us/library/ee617247.aspx?f=255&MSPPError=-2147217396