How can I query users with an expired password in Active Directory?

Question

I need to query Active Directory for a list of users whose password is about to expire. The obvious (and easy) way to do this is with:

dsquery user -stalepwd n

The problem is that I need to add additional filters to only look for users who are in certain security groups. This is hard to do with the "dsquery user" syntax that has the built-in -stalepwd option, so I've been using the "dsquery * -filter" option which allows you to use LDAP query syntax. Unfortunately, while its relatively easy to do apply the other filters with an LDAP query, I'm having trouble filtering users who have a password age greater than n.

Does anyone know the syntax (or if it is even possible) to filter for old passwords using the "dsquery * -filter" method instead of the "dsquery user -stalepwd" method.

Answer 1

There are better tools than dsquery to use.

FindExpAcc from joeware will do the same as stalepwd and allow a filter through its -f switch.

The filter would then look like:

&(objectCategory=user)(memberof=CN=User Group,OU=Test,DC=foo,dc=com)

Also check out adfind and admod tools from joeware which are more powerful than the command line query tools from Microsoft, but can be a little harder to learn.

Answer 2

You can write an LDAP Query that compares "stale" passwords by comparing the pwdLastSet attribute on the user object:

(&(objectClass=person)(objectClass=User)(pwdLastSet<=n))

ActiveDirectory uses a very specific format for this time stamp. I believe it a file-time, but I would double check on the web.