| pid | 1067 |
|---|---|
| author | Andy Stumph |
| title | Get-ADNonExpPass |
| date | 2009-04-30 01:36:21 -0700 |
| format | posh |
| parent | 0 |
This script will retrieve all user accounts whose passwords are set to not expire for a given LDAP path. Defaults to root of the domain.
param ($LDAPPath = "", [switch]$Help)
if ($Help)
{
""
Write-Host "Usage: .\Get-ADNonExpPass.ps1 <LDAPPath>" -foregroundcolor Yellow
Write-Host "Ex: .\Get-ADNonExpPass.ps1 'LDAP://ou=users,dc=domain,dc=com'" -foregroundcolor Yellow
""
break
}
#UAC Flag in Hex
#http://support.microsoft.com/kb/305144
$DontExpire = 0x10000
$Root = [ADSI]$LDAPPath
$Category = "user"
$Selector = New-Object DirectoryServices.DirectorySearcher
$Selector.SearchRoot = $Root
$Selector.Filter = ("(objectCategory=$Category)")
#$Selector.pagesize = 2000
# Grab all the user objects for the OU
$Users = $Selector.findall()
foreach ($User in $Users) {
$DN = $User.properties.distinguishedname
$UserProp = [ADSI]"LDAP://$dn"
if (($UserProp.UserAccountControl[0] -band $DontExpire) -eq 65536)
{
$UserProp | Select Name, UserAccountControl
}
}