The following is a comparison between obtaining a list of password expired users with Windows PowerShell and ADManager Plus.
function
foo
Dim adoCommand, adoConnection, strBase, strFilter, strAttributes
Dim objRootDSE, strDNSDomain, strQuery, adoRecordset
Dim dtmDate2, strName, strEmail
Dim lngSeconds2, str64Bit2
Dim objShell, lngBiasKey, lngBias, k
Dim objDomain, objMaxPwdAge, lngHighAge, lngLowAge, sngMaxPwdAge
Dim objDate, dtmPwdLastSet, dtmExpires
Dim strItem, strPrefix, objFSO, objLogFile
Const ForWriting = 2
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objLogFile = objFSO.CreateTextFile("C:\Scripts\PasswordExp.csv", ForWriting, True)
objLogFile.Write "sAMAccountName,"
objLogFile.Write "mail,"
objLogFile.Write "passwordExpiresAt"
objLogFile.Writeline
' Determine domain maximum password age policy in days.
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("DefaultNamingContext")
Set objDomain = GetObject("LDAP://" & strDNSDomain)
Set objMaxPwdAge = objDomain.MaxPwdAge
lngHighAge = objMaxPwdAge.HighPart
lngLowAge = objMaxPwdAge.LowPart
If (lngLowAge < 0) Then
lngHighAge = lngHighAge + 1
End If
' Convert from 100-nanosecond intervals into days.
sngMaxPwdAge = -((lngHighAge * 2^32) _
+ lngLowAge)/(600000000 * 1440)
dtmDate2 = DateAdd("d", - sngMaxPwdAge, Now())
' Obtain local Time Zone bias from machine registry.
' This bias changes with Daylight Savings Time.
Set objShell = CreateObject("Wscript.Shell")
lngBiasKey = objShell.RegRead("HKLM\System\CurrentControlSet\Control\" _
& "TimeZoneInformation\ActiveTimeBias")
If (UCase(TypeName(lngBiasKey)) = "LONG") Then
lngBias = lngBiasKey
ElseIf (UCase(TypeName(lngBiasKey)) = "VARIANT()") Then
lngBias = 0
For k = 0 To UBound(lngBiasKey)
lngBias = lngBias + (lngBiasKey(k) * 256^k)
Next
End If
dtmDate2 = DateAdd("n", lngBias, dtmDate2)
lngSeconds2 = DateDiff("s", #1/1/1601#, dtmDate2)
str64Bit2 = CStr(lngSeconds2) & "0000000"
' Setup ADO objects.
Set adoCommand = CreateObject("ADODB.Command")
Set adoConnection = CreateObject("ADODB.Connection")
adoConnection.Provider = "ADsDSOObject"
adoConnection.Open "Active Directory Provider"
Set adoCommand.ActiveConnection = adoConnection
' Search entire Active Directory domain.
strBase = ""
'
'
strFilter = "(&(objectCategory=person)(objectClass=user)" _
& "(!pwdLastSet=0)" _
& "(pwdLastSet<=" & str64Bit2 & ")" _
& "(!userAccountControl:1.2.840.113556.1.4.803:=2)" _
& "(!userAccountControl:1.2.840.113556.1.4.803:=65536)" _
& "(!userAccountControl:1.2.840.113556.1.4.803:=32)" _
& "(!userAccountControl:1.2.840.113556.1.4.803:=48))"
' Comma delimited list of attribute values to retrieve.
strAttributes = "sAMAccountName,mail,pwdLastSet"
' Construct the LDAP syntax query.
strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"
adoCommand.CommandText = strQuery
'Filter on user objects where the password expires between the
dates specified, the account is not disabled, password never
expires is not set, password not required is not set,
and password cannot change is not set.'
adoCommand.Properties("Page Size") = 100
adoCommand.Properties("Timeout") = 30
adoCommand.Properties("Cache Results") = False
' Run the query.
Set adoRecordset = adoCommand.Execute
' Enumerate the resulting recordset.
Do Until adoRecordset.EOF
strName = adoRecordset.Fields("sAMAccountName").Value
strEmail = adoRecordset.Fields("mail").Value & ""
If (TypeName(adoRecordset.Fields("pwdLastSet").Value) = "Object") Then
Set objDate = adoRecordset.Fields("pwdLastSet").Value
dtmPwdLastSet = Integer8Date(objDate, lngBias)
Else
dtmPwdLastSet = #1/1/1601#
End If
dtmExpires = DateAdd("d", sngMaxPwdAge, dtmPwdLastSet)
objLogFile.Write strName & ","
objLogFile.Write strEmail & ","
objLogFile.Write dtmExpires
objLogFile.Writeline
adoRecordset.MoveNext
Loop
' Clean up.
objLogFile.Close
adoRecordset.Close
adoConnection.Close
Function Integer8Date(ByVal objDate, ByVal lngBias)
' Function to convert Integer8 (64-bit) value to a date, adjusted for
' local time zone bias.
Dim lngAdjust, lngDate, lngHigh, lngLow
lngAdjust = lngBias
lngHigh = objDate.HighPart
lngLow = objDate.LowPart
' Account for error in IADsLargeInteger property methods.
If (lngLow < 0) Then
lngHigh = lngHigh + 1
End If
If (lngHigh = 0) And (lngLow = 0) Then
lngAdjust = 0
End If
lngDate = #1/1/1601# + (((lngHigh * (2 ^ 32)) _
+ lngLow) / 600000000 - lngAdjust) / 1440
' Trap error if lngDate is ridiculously huge.
On Error Resume Next
Integer8Date = CDate(lngDate)
If (Err.Number <> 0) Then
On Error GoTo 0
Integer8Date = #1/1/1601#
End If
On Error GoTo 0
End Function
Click to copy entire script
ADManager Plus
To obtain the report,
- Select Password Expired Users from Password Reports section.
- Select domain and OU. Click Generate.
- Select Export as to export the report in any of the preferred formats (CSV, PDF, HTML, CSVDE and XLSX)
Screenshot
Following are the limitations to obtain a report of password expired user accounts using native tools like VBScript:
- We can use this script only within the domain. For multiple domains, we should modify and run the script for each domain.
- Script is quite complex to compile with multiple calculations involved.
- Difficult to change date formats.
- Difficult to apply different time zones on the date results.
Related Powershell How-to Guides:
-
For AD User Management
- Create new user accounts in AD using Powershell
- Import Active Directory users from CSV using PowerShell
- Add new user in AD using Powershell
- Modify AD user attributes using Powershell
- Enable Active Directory user accounts using PowerShell
- Disable AD accounts using PowerShell
- Delete user accounts in AD using Powershell
- Move AD user accounts using Powershell
- Remove users from Active Directory group using PowerShell
- Set expiration Date for AD Accounts using Powershell
- Modify AD Account Control Values using Powershell
- Unlock AD accounts using Powershell
- Modify AD Objects using Powershell
- Set AD accounts to never expire using Powershell
- Add proxy address to AD user with Powershell Scripts
-
For AD User Reporting
- Get all AD users report using Powershell
- Get active/inactive AD user accounts using Powershell
- Export enabled AD users report using Powershell
- Get disabled users report in AD using Powershell
- Get active directory account status reports using PowerShell
- Find locked AD user accounts using Powershell
- Find account expired users in AD using Powershell
- Get last logon time of AD user accounts using Powershell
- List AD user accounts set to never expire with Powershell
- Find specific users in AD using Powershell
- Get AD User information with their managers using Powershell
- Get AD user samaccountname using Powershell
- Get AD users' list from multiple OUs using Powershell
- Get AD Users' list along with their Display Names
- Get a list of AD users that belong to a Specific Department
- Get a list of AD users with empty attributes using Powershell
- Get a list of AD Users having a Specific CN using Powershell
-
For GPO Management
-
For Password Management
-
For AD Group Management
- Create Active Directory groups using Powershell
- Add users to Active Directory groups using Powershell
- Add a group as a member of another AD Group using Powershell
- Add principal group membership for AD users using Powershell
- Modify AD group attributes using PowerShell scripts
- Delete Active Directory groups using Powershell
- How to remove a group from another group in AD using PowerShell
- Create dynamic distribution groups using Powershell
- Create distribution groups using Powershell
- Add multiple members to distribution groups using PowerShell
- Group membership report in AD using Powershell
- Get membership details of a specific AD user using Powershell
- Get AD Group members of a specific group using powershell
-
For File Access Management
- Set and modify folder permissions in Active Directory
- Detect file and folder permissions in AD using Powershell
- Export user's file and folder access permissions using Powershell
- Get permissions of all AD objects using Powershell
- Get ACL for folders and subfolders using Powershell
- Get NTFS permissions using Powershell
-
For AD Computer Management
- Create AD Computer accounts using PowerShell
- Modify AD Computer attributes using PowerShell
- Enable AD Computer accounts using PowerShell
- Disable AD Computer accounts using PowerShell
- Move AD Computer accounts using Powershell
- Remove AD Computer accounts using PowerShell
- Find inactive AD Computer accounts using PowerShell
- Find AD Computer's last logon time using Powershell
- List Computers in an AD Domain using Powershell
-
For Office 365 Management
- Guide to Connect to Office 365 Powershell Module
- Add users to Office 365 groups using PowerShell
- Assign license to Office 365 users using PowerShell
- Change Office 365 user licenses using Powershell
- View all Office 365 licenses in your account using Powershell
- Remove Office 365 license from user accounts using Powershell
- Office 365 users license report using Powershell
- Get all Office 365 group members using Powershell
- Dynamic distribution group members report using Powershell
- Dynamic distribution groups report using Powershell
-
For Exchange Management
- Quick Guide to Connect to Exchange Online PowerShell
- Create Mailboxes in Exchange Online with Powershell
- Remove mailboxes from Exchange Online using Powershell
- Export Exchange Online distribution groups list using PowerShell
- Create Mailboxes in Exchange Servers with Powershell
- Remove user mailboxes from Exchange Server using Powershell
- Export Distribution Group Members Report using PowerShell
The one-stop solution toActive Directory Management and Reporting
- Active Directory Management
- Active Directory Reports
- MS Exchange Management
- Bulk User Management
- Active Directory User Reports
- AD Helpdesk Delegation
- Active Directory Group Management
- AD Logon Reports
- Active Directory Automation
- Active Directory Cleanup
- Distribution List Reports
- ADManager Plus Mobile Apps
- Office365 Management
- Office 365 User Provisioning
- Office 365 Reports
- Integrated Identity and Access Management
Solution
- Unified SIEM Solution
- UBA-driven AD and Windows Server Auditing Solution
- Identity security with MFA, SSO, and SSPR
- Real-time Log Management and IT Compliance Solution
- Hybrid Exchange Auditing and
Reporting Solution
- File Auditing and Data Leak Prevention Solution
- Microsoft 365 Management and Reporting Solution
- Enterprise Backup and Recovery Solution
- SharePoint Management and Auditing Solution
- Cloud Security and Log Management Solution
- FREE Active Directory Tools
- All Windows Active Directory Solutions
Back to Top