Kdyer
(KiX Supporter)
2002-05-30 06:29 PM
Password expiration for a service account

We have a policy where all accounts (user, etc.) expire in X days..

I wanted to create a notification script to notify when the account is due to expire.

Comments, etc. are welcome.

code:
 
 BREAK ON
 CLS

 ; -- Ref. http://kixtart.org/board/Forum2/HTML/000133.html for date routine

 IF Left(@kix,1) < 4
       ?"This script requires Kixtart 4.x"
       SLEEP 2
       EXIT
 ELSE

       $ldomain = @domain
       $lstrusername = "servicesql"
       $mailhost = "smtp.server.com"
       $adminrecpt = "recipient@@server.com"

       $userobj = GetObject("WinNT://$LDomain/$lstrUserName")

       ;$UserObj = GetObject("WinNT://" + $DomainString  + "/" + $lstrUserName)

       $pwexpire = $userobj.passwordexpirationdate
       $dtcalc = $pwexpire = @date

       ?"UserAuthor: " + $userobj.name
       ?"UserPasswordExpires: " + $pwexpire

       $tt = $pwexpire

       $pwdate = substr($tt,1,10)

       $pwyear = val(substr($tt,1,4))
       $pwmonth = val(substr($tt,6,2))
       $pwdate = val(substr($tt,9,2))

       $nowyear = @year
       $nowmonth = @monthno
       $nowdate = @mdayno

       IF $pwyear <> $nowyear
             $nowmonth = $nowmonth + (12 * ($nowyear - $pwyear))
       ENDIF

       IF $pwmonth <> $nowmonth
             $nowdate = $nowdate + 30
       ENDIF

       ?$nowdate - $pwdate

       IF ($nowdate - $pwdate) <= 2
             ? "Password Change required within 2 days, please change"
             SHELL 'postie.exe -host:$MailHost -to:$AdminRecpt -from:"ServiceAccountChg" -s:"Password Change" -msg:"The service account: $lstrUserName needs to be changed."'
       ELSE
             ? "Password older than 2 Days, no action is needed"
       ENDIF
 ENDIF
Cheers!

- Kent

[ 30 May 2002, 19:05: Message edited by: kdyer ]

BrianTX
(Korg Regular)
2002-05-30 11:52 PM
Re: Password expiration for a service account

Kent,

I'll test your script if you test mine! (lol)

Brian

Kdyer
(KiX Supporter)
2002-05-31 05:07 AM
Re: Password expiration for a service account

It needs some help..

I am running to some trouble with substr..

Sure.. I can look into your script.

- Kent

Breaker
(Hey THIS is FUN)
2002-05-31 10:34 AM
Re: Password expiration for a service account

Kent,

I've not used it myself (I leave tricky stuff like this to the pros!) but Jpols has a UDF DateCalc() which might save you the trouble of doing all the Substr'ing yourself. I assume it is the date calculation that's giving you grief?

Breaker

BrianTX
(Korg Regular)
2002-05-31 05:09 PM
Re: Password expiration for a service account

I just whipped up a little script.. I may post the UDF in the UDF forum (I thought it was handy anyways..)

code:
BREAK ON
CLS

IF Left(@kix,1) < 4
 ?"This script requires Kixtart 4.x"
 SLEEP 2
 EXIT
ELSE
 $ldomain = @domain
 $lstrusername = "servicesql"
 $mailhost = "smtp.server.com"
 $adminrecpt = "recipient@@server.com"
 $userobj = GetObject("WinNT://$LDomain/$lstrUserName")
 $pwexpire = $userobj.passwordexpirationdate

 ?"UserAuthor: " + $userobj.name
 ?"UserPasswordExpires: " + $pwexpire

 $tt = SPLIT($pwexpire," ")
 $mdy = SPLIT($tt[0],"/")
 $expiredatearray = $mdy[2],$mdy[0],$mdy[1]
 $currentdatearray = "@YEAR","@MONTHNO","@MDAYNO"
   
    
 Function CalcDayofYear($ymdarray) ; Only works on non-millenium years after 2000.
  $Calendar = 31,28,31,30,31,30,31,31,30,31,30,31    
  If VAL($ymdarray[0]) & 1 $Ly = 0 ; leap year calculations
  Else
   If (Val($ymdarray[0])/2) & 1 $Ly = 0
   Else $Ly = 1
   Endif
  Endif
  $calendar[1] = $calendar[1] + $LY 
  $mdays = 0
  For $m = 0 to (Val($ymdarray[1]) -2)
    $mdays =  $mdays + $calendar[$m]
  Next
  $CalcDayofYear = $mdays + $ymdarray[2] 
 EndFunction

 $daystoexpire = CalcDayofYear($expiredatearray) - CalcDayofYear($currentDateArray) + ((VAL($expiredatearray[0]) - VAL(currentdataArray[0])) * 365)

 If $daystoexpire <= 2
  ? "Password Change required within 2 days, please change"
     SHELL 'postie.exe -host:$MailHost -to:$AdminRecpt -from:"ServiceAccountChg" -s:"Password Change" -msg:"The service account: $lstrUserName needs to be changed."'
 ELSE
  ? "Password will not expire for more than 2 Days, no action is needed"
 ENDIF

ENDIF
What do you think? It works great for me.

Brian

[ 04 June 2002, 17:15: Message edited by: BrianTX ]

NTDOCAdministrator
(KiX Master)
2002-05-31 05:53 PM
Re: Password expiration for a service account

FYI,

Active Directory needs:

$userobj = GetObject("LDAP://cn=??,ou=??,etc...")

BrianTX
(Korg Regular)
2002-05-31 06:14 PM
Re: Password expiration for a service account

I don't use Win2k Servers.. I don't know if Kent does or not. [Smile] I suppose this could be modified to check for active directory....?

Brian

Kdyer
(KiX Supporter)
2002-05-31 09:53 PM
Re: Password expiration for a service account

Brian,

Works a treat!

Doc - Sure you could use AD, but I think this is simpler. [Big Grin]

If you want the VBScript version..

code:
Dim DomainString, UserObj,PwExpire,TodayDt,DtCalc,FmtDate

DomainString = "YOURDOMAIN"

lstrUserName = "servicesql"

Set UserObj = GetObject("WinNT://" & DomainString  & "/" & lstrUserName)

PwExpire = UserObj.PasswordExpirationDate
DtCalc = DateDiff("d",date,PwExpire) 
'TodayDt = Date
'DtCalc = FmtDate - TodayDt

If DtCalc <= 2 Then
wscript.echo "Please Change your servicesql password"
end if

wscript.echo "UserAuthor: " & UserObj.Name
wscript.echo "UserPasswordExpires: " & PwExpire
'wscript.echo TodayDt
wscript.echo DtCalc
Pieces are found at - http://cwashington.netreach.net/depo/view.asp?Index=198&ScriptType=vbscript

Thanks,

- Kent

[ 31 May 2002, 21:55: Message edited by: kdyer ]

BrianTX
(Korg Regular)
2002-05-31 10:04 PM
Re: Password expiration for a service account

I had to edit script above to allow for the expiration date coming in a different year...

Lemme see if I can think of a scenario it wouldn't be accurate...

1. one of the dates is in the year 2100.
2. Date last changed is after Feb 28 on a leap year and Date expired is the next year. (You'd get a day less than correct so a day early warning)

I could fix these things by making a leap year function.. or recording days from January 1, 2002. Is this necessary?

[edit: hmm. or making a loop step from expire year to changed year and count the days in the year (December 31)]

Brian

[ 31 May 2002, 22:08: Message edited by: BrianTX ]

BrianTX
(Korg Regular)
2002-05-31 10:29 PM
Re: Password expiration for a service account

OK. I'm reposting the corrected version which does not have the inconsistencies of the other version.

code:
BREAK ON
CLS

IF Left(@kix,1) < 4
 ?"This script requires Kixtart 4.x"
 SLEEP 2
 EXIT
ELSE
 $ldomain = @domain
 $lstrusername = "servicesql"
 $mailhost = "smtp.server.com"
 $adminrecpt = "recipient@@server.com"
 $userobj = GetObject("WinNT://$LDomain/$lstrUserName")
 $pwexpire = $userobj.passwordexpirationdate

 ?"UserAuthor: " + $userobj.name
 ?"UserPasswordExpires: " + $pwexpire

 $tt = SPLIT($pwexpire," ")
 $mdy = SPLIT($tt[0],"/")
 $expiredatearray = $mdy[2],$mdy[0],$mdy[1]
 $currentdatearray = "@YEAR","@MONTHNO","@MDAYNO"
   
    
 Function CalcDayofYear($ymdarray) ; Only works on non-millenium years after 2000.
  $Calendar = 31,28,31,30,31,30,31,31,30,31,30,31    
  If VAL($ymdarray[0]) & 1 $Ly = 0 ; leap year calculations
  Else
   If (Val($ymdarray[0])/2) & 1 $Ly = 0
   Else $Ly = 1
   Endif
  Endif
  $calendar[1] = $calendar[1] + $LY 
  $mdays = 0
  For $m = 0 to (Val($ymdarray[1]) -2)
    $mdays =  $mdays + $calendar[$m]
  Next
  $CalcDayofYear = $mdays + $ymdarray[2] 
 EndFunction

 $diffyears =  VAL($expiredatearray[0]) - VAL($currentdatearray[0])
  If $diffyears > 0
   $YearstoDays = 0
   For $countyear = VAL($currentdatearray[0]) to (VAL($expiredatearray[0])-1)
   $acountyear = $countyear,"12","31"
   $YearstoDays = $Yearstodays + CalcDayofYear($acountyear)
   Next
  Endif

 $daystoexpire = CalcDayofYear($expiredatearray) - CalcDayofYear($currentDateArray) + $yearstodays
 If $daystoexpire <= 2
  ? "Password Change required within 2 days, please change"
     SHELL 'postie.exe -host:$MailHost -to:$AdminRecpt -from:"ServiceAccountChg" -s:"Password Change" -msg:"The service account: $lstrUserName needs to be changed."'
 ELSE
  ? "Password will not expire for more than 2 Days, no action is needed"
 ENDIF

ENDIF
I fixed the problem with the next year/leap year stuff. Still won't work with the year 2100 (who cares?)

Brian

[ 04 June 2002, 17:16: Message edited by: BrianTX ]

Sealeopard
(KiX Master)
2002-05-31 10:35 PM
Re: Password expiration for a service account

Whyt don't you just use the following two UDFs instead?
DateCalc() - Calculates Days between or returns calculated Date (Days as modifier)
SerialDate() - Convert dates to numbers (and back) for the purpose of performing date

BrianTX
(Korg Regular)
2002-05-31 11:01 PM
Re: Password expiration for a service account

You're right.. their line:

$SerialDate=$d+(153*$m-457)/5+365*$y+$y/4-$y/100+$y/400-306

does everything in one line that i do in several lines. However, you have to go through a bunch of math theorems to come up with that formula... (I know.. someone worked it out a long time ago. I saw something like that in the 3rd grade.).. Anyway it's just a good exercise to do it yourself! (and my code is smaller than with the functions from scriptlogic)

Brian

NTDOCAdministrator
(KiX Master)
2002-05-31 11:13 PM
Re: Password expiration for a service account

Kent,

FYI
In general a WinNT call will work for a lot of things on AD, but not everything. WinNT does not understand the Schema of AD so it can not get "all" details. LDAP is designed to do this.

Kdyer
(KiX Supporter)
2002-06-01 04:10 AM
Re: Password expiration for a service account

Jens,

I have used the SerialDate and DateMath recently for a similar type of post, but I think BrianTX's code is much better at it (more compact). I did read the link that Brian Styles placed on the Serial Date with regard to the algorithms used and found it interesting.

- Kent

BrianTX
(Korg Regular)
2002-06-03 04:56 PM
Re: Password expiration for a service account

It has to do with the Julian date, correct? I thought it was interesting as well. Because it is an approximation, I was wondering what dates it has been tested for, and if it is 100% accurate.

Brian

Kdyer
(KiX Supporter)
2002-06-03 05:27 PM
Re: Password expiration for a service account

Doc,

Question for you..

Trying to use the LDAP Method and I keep getting:
quote:

Script error : unknown command !
$pwexpire = $userobj.passwordexpirationdate
If we look at Active Directory Users and computers and have "Advanced Features" turned on.. We look at the object, we see:
quote:

DOMAIN.com/Accounts/Users/Service Account Users/SQL Service Accounts/ServiceSql
So, we make the changes per your suggestion, and refer to - http://cwashington.netreach.net/depo/default.asp?topic=adsifaq

quote:

$userobj = GetObject("LDAP://PDC.DOMAIN.com,ou=Accounts,ou=Users,ou=Service Account Users,ou=SQL Service Accounts,cn=ServiceSql")
Any ideas?

Thanks,

- Kent

Kdyer
(KiX Supporter)
2002-06-04 05:04 PM
Re: Password expiration for a service account

Made some changes to the script to add in a simple array (split) for checking other accounts that fall into this realm.

Doc - You out there? [Smile]

Here is the modified code:
code:
 BREAK ON
 CLS

 ; -- Author - Kent Dyer
 ; -- Original Date - 30 May 2002
 ; -- Change Date - 4 June 2002
 ; -- Initially used Date Routine - http://kixtart.org/board/Forum2/HTML/000133.html
 ; -- Date Routine built/changes by BrianTX
 ; -- Optionally, you could use DateMath, SerialDate from
 ; -- http://scriptlogic.com/Kixtart/ViewFunction.asp?FN=SerialDate
 ; -- http://scriptlogic.com/Kixtart/ViewFunction.asp?FN=DateMath
 ; -- Added a simple array (using split) from Kix 4.x 6/4/02
 ; -- pieces taken from
 ; -- http://cwashington.netreach.net/depo/view.asp?Index=198&ScriptType=vbscript
 ; -- http://cwashington.netreach.net/depo/view.asp?Index=323&ScriptType=vbscript
 ; -- http://kixtart.org/board/ultimatebb.php?ubb=get_topic;f=2;t=003347

 IF Left(@kix,1) < 4
       ?"This script requires Kixtart 4.x"
       SLEEP 2
       EXIT
 ELSE
       $ldomain = @domain
       ;$lstrusername = "servicesql" ; -- uncomment out if you don't want to use split
       $lstrusername = Split("servicesql~~cbcwindu~~servicemmc", "~~") ; -- comment out if you don't want to use split
       $mailhost = "smtphost.domain.com" ; -- fill in with your smtp server
       $adminrecpt = "user@@domain.com" ; -- add in your e-mail address

       FOR EACH $element IN $lstrusername ; -- comment out if you don't want to use split

             ;$userobj = GetObject("LDAP://PDC.DOMAIN.com,ou=Accounts,ou=Users,ou=Service Account Users,ou=SQL Service Accounts,cn=ServiceSql")
             ;$userobj = GetObject("WinNT://$LDomain/$lstrUserName")  ; -- uncomment out if you don't want to use split
             $userobj = GetObject("WinNT://$LDomain/$Element") ; -- comment out if you don't want to use split
             $pwexpire = $userobj.passwordexpirationdate

             ?"UserName: " + $userobj.name
             ?"UserPasswordExpires: " + $pwexpire

             $tt = SPLIT($pwexpire," ")
             $mdy = SPLIT($tt[0],"/")
             $expiredatearray = $mdy[2],$mdy[0],$mdy[1]
             $currentdatearray = "@YEAR","@MONTHNO","@MDAYNO"
                
                 
             FUNCTION CalcDayofYear($ymdarray) ; Only works on non-millenium years after 2000.
                   $calendar = 31,28,31,30,31,30,31,31,30,31,30,31
                   IF VAL($ymdarray[0]) & 1 $ly = 0 ; leap year calculations
                   ELSE
                         IF (Val($ymdarray[0])/2) & 1 $ly = 0
                         ELSE 
                               $ly = 1
                         ENDIF
                   ENDIF
                   $calendar[2] = $calendar[2] + $ly
                   $mdays = 0
                   FOR $m = 0 TO (Val($ymdarray[1]) -2)
                         $mdays =  $mdays + $calendar[$m]
                   NEXT
                   $calcdayofyear = $mdays + $ymdarray[2]
             ENDFUNCTION

             $daystoexpire = CalcDayofYear($expiredatearray) - CalcDayofYear($currentdatearray)
             ?$daystoexpire

             IF $daystoexpire <= 2
                   ? "Password Change required within 2 days, please change"
                   ;SHELL 'postie.exe -host:$MailHost -to:$AdminRecpt -from:"ServiceAccountChg" -s:"Password Change" -msg:"The service account: $lstrUserName needs to be changed."'
                   SHELL 'postie.exe -host:$MailHost -to:$AdminRecpt -from:"ServiceAccountChg" -s:"Password Change" -msg:"The service account: $Element needs to be changed."'
             ELSE
                   ? "Password will not expire for more than 2 Days, no action is needed"
             ENDIF
       NEXT  ; -- comment out if you don't want to use split

 ENDIF
Thanks!

- Kent

BrianTX
(Korg Regular)
2002-06-04 05:15 PM
Re: Password expiration for a service account

Kent.. I keep finding bugs in the script! lol... (geez... can't seem to get everything to work 100% correctly)

It should be:

$calendar[1] = $calendar[1] + $ly

(i forgot the 0 element of the array was january)

Also, please see the second script I posted that accounts for year rollover...

Brian

Kdyer
(KiX Supporter)
2002-06-04 07:16 PM
Re: Password expiration for a service account

Brian,

Works great..
quote:

UserName: ServiceSql
UserPasswordExpires: 7/9/2002 6:18:13 AM
Number of Days till password expires: 35
Password will not expire for more than 2 Days, no action is needed
UserName: cbcwindu
UserPasswordExpires: 8/28/2002 10:29:29 AM
Number of Days till password expires: 85
Password will not expire for more than 2 Days, no action is needed
UserName: servicemmc
UserPasswordExpires: 7/17/2002 7:26:16 AM
Number of Days till password expires: 43
Password will not expire for more than 2 Days, no action is needed
Added in your fix..

code:
 BREAK ON
 CLS

 ; -- Author - Kent Dyer
 ; -- Original Date - 30 May 2002
 ; -- Change Date - 4 June 2002
 ; -- Initially used Date Routine - http://kixtart.org/board/Forum2/HTML/000133.html
 ; -- Date Routine built/changes by BrianTX
 ; -- Optionally, you could use DateMath, SerialDate from
 ; -- http://scriptlogic.com/Kixtart/ViewFunction.asp?FN=SerialDate
 ; -- http://scriptlogic.com/Kixtart/ViewFunction.asp?FN=DateMath
 ; -- Added a simple array (using split) from Kix 4.x 6/4/02
 ; -- pieces taken from
 ; -- http://cwashington.netreach.net/depo/view.asp?Index=198&ScriptType=vbscript
 ; -- http://cwashington.netreach.net/depo/view.asp?Index=323&ScriptType=vbscript
 ; -- http://kixtart.org/board/ultimatebb.php?ubb=get_topic;f=2;t=003347

 IF Left(@kix,1) < 4
       ?"This script requires Kixtart 4.x"
       SLEEP 2
       EXIT
 ELSE
       $ldomain = @domain
       ;$lstrusername = "servicesql" ; -- uncomment out if you don't want to use split
       $lstrusername = Split("servicesql~~cbcwindu~~servicemmc", "~~") ; -- comment out if you don't want to use split
       $mailhost = "smtphost.domain.com" ; -- fill in with your smtp server
       $adminrecpt = "user@@domain.com" ; -- add in your e-mail address

       FOR EACH $element IN $lstrusername ; -- comment out if you don't want to use split

             ;$userobj = GetObject("LDAP://PDC.DOMAIN.com,ou=Accounts,ou=Users,ou=Service Account Users,ou=SQL Service Accounts,cn=ServiceSql")
             ;$userobj = GetObject("WinNT://$LDomain/$lstrUserName")  ; -- uncomment out if you don't want to use split
             $userobj = GetObject("WinNT://$LDomain/$Element") ; -- comment out if you don't want to use split
             $pwexpire = $userobj.passwordexpirationdate

             ?"UserName: " + $userobj.name
             ?"UserPasswordExpires: " + $pwexpire

             $tt = SPLIT($pwexpire," ")
             $mdy = SPLIT($tt[0],"/")
             $expiredatearray = $mdy[2],$mdy[0],$mdy[1]
             $currentdatearray = "@YEAR","@MONTHNO","@MDAYNO"
                             
                              
             FUNCTION CalcDayofYear($ymdarray) ; Only works on non-millenium years after 2000.
                   $calendar = 31,28,31,30,31,30,31,31,30,31,30,31
                   IF VAL($ymdarray[0]) & 1 $ly = 0 ; leap year calculations
                   ELSE
                         IF (Val($ymdarray[0])/2) & 1 $ly = 0
                         ELSE 
                               $ly = 1
                         ENDIF
                   ENDIF
                   $calendar[1] = $calendar[1] + $ly
                   $mdays = 0
                   FOR $m = 0 TO (Val($ymdarray[1]) -2)
                         $mdays =  $mdays + $calendar[$m]
                   NEXT
                   $calcdayofyear = $mdays + $ymdarray[2]
             ENDFUNCTION

             $diffyears =  VAL($expiredatearray[0]) - VAL($currentdatearray[0])
             IF $diffyears > 0
                   $yearstodays = 0
                   FOR $countyear = VAL($currentdatearray[0]) TO (VAL($expiredatearray[0])-1)
                         $acountyear = $countyear,"12","31"
                         $yearstodays = $yearstodays + CalcDayofYear($acountyear)
                   NEXT
             ENDIF

             $daystoexpire = CalcDayofYear($expiredatearray) - CalcDayofYear($currentdatearray) + $yearstodays
             ?"Number of Days till password expires: " + $daystoexpire
             IF $daystoexpire <= 2
                   ? "Password Change required within 2 days, please change"
                   ;SHELL 'postie.exe -host:$MailHost -to:$AdminRecpt -from:"ServiceAccountChg" -s:"Password Change" -msg:"The service account: $lstrUserName needs to be changed."'
                   SHELL 'postie.exe -host:$MailHost -to:$AdminRecpt -from:"ServiceAccountChg" -s:"Password Change" -msg:"The service account: $element needs to be changed."'
             ELSE
                   ? "Password will not expire for more than 2 Days, no action is needed"
             ENDIF

       NEXT  ; -- comment out if you don't want to use split

 ENDIF
Added in a small piece to tell you visually how many days it will be when the password expires..

Thanks!

- Kent

NTDOCAdministrator
(KiX Master)
2002-06-04 07:47 PM
Re: Password expiration for a service account

I'm checking on it... I'll get back with you soon.

NTDOCAdministrator
(KiX Master)
2002-06-04 08:29 PM
Re: Password expiration for a service account

Kent,

Not sure what the deal is. If I use only a single name or try to do a split with multiple names, I get an OUT OF BOUNDS ARRAY ERROR when using the LDAP method. If I only change the LDAP call to WinNT then it works fine for either single or split calls.

The $expiredatearray is where it gets the error. Not sure if it is because it needs a redim or maybe the full path to the container level is wrong. It appears though that I'm using the correct call because If I change the CN to OU I get a different error that the $pwexpire = $userobj.passwordexpireationdate is an unknown command. But when I put it back to CN I get the Out of Bounds array error.

Shawn, Bryce, Bill, Others...

Do any of you know why the array error, or how to fix it?

Here is the LDAP I'm using, and it appears to be getting there, but the array call gets an error.

code:
$userobj =  GetObject("LDAP://cn=sup-rdl,ou=Users,ou=BusinessUnitLevel,ou=cala,dc=swna,dc=MyCompany,dc=com")


[ 04 June 2002, 20:38: Message edited by: NTDOC ]

BrianTX
(Korg Regular)
2002-06-04 10:19 PM
Re: Password expiration for a service account

It sounds to me like a formatting difference. The date is returned like this from winnt:

YYYY/MM/DD HH:MM:SS.hh

If it is returned differently from LDAP, then the script would have to be modified to account for that. (Unfortunately, I have no means to test on LDAP.. only have NT servers here.)

Brian

{edit}
P.S.... I totally forgot about the @YDAYNO function which could definitely be substituted for the CalcDayofYear($CurrentDateArray) but unfortunately can't be substituted for the CalcDayofYear($expiredateArray) unless you were to take the risky step of resetting the date to the old date, getting @YDAYNO then going back to the correct date.. (I don't think that's a good idea, but I had a similar idea when working on this.)

[ 04 June 2002, 22:57: Message edited by: BrianTX ]

NTDOCAdministrator
(KiX Master)
2002-06-05 03:21 AM
Re: Password expiration for a service account

Don't think it is the date/time format. The LDAP call comes back blank for some reason. Not sure why at this time.

If you run this code only with WinNT it works fine. If you rem out WinNT and run the LDAP GetObject code the UserPasswordExpires: comes back blank.

code:
$ldomain = @domain
$lstrusername = "NTDOC"
;$userobj =  GetObject("LDAP://cn=ntdoc,ou=Users,ou=mybusinessOU,ou=cala,dc=MyCompany,dc=com")
$userobj = GetObject("WinNT://$LDomain/$lstrUserName") 
$pwexpire = $userobj.passwordexpirationdate
	?"UserName: " + $userobj.name
	?"UserPasswordExpires: " + $pwexpire
I will try and locate information from other sources and or posting to NEWS group to see if someone else knows why or what is being done wrong here.

BrianTX
(Korg Regular)
2002-06-10 04:16 PM
Re: Password expiration for a service account

Have you figured this out, yet, NTDOC?

Brian

Kdyer
(KiX Supporter)
2002-06-15 08:40 AM
Re: Password expiration for a service account

* BUMP * Any word on this Doc?

Kent

Kdyer
(KiX Supporter)
2002-07-31 08:12 AM
Re: Password expiration for a service account

* BUMP * Doc?

NTDOCAdministrator
(KiX Master)
2002-07-31 09:51 AM
Re: Password expiration for a service account

Ok... sorry. Been quite busy and forgot about this post. I've learned a little more about AD now, but not sure I'll be able to get it working or not, but I'll give it a try.

NTDOCAdministrator
(KiX Master)
2002-08-01 04:01 AM
Re: Password expiration for a service account

I'm working on it... but dang. Still does not work correctly using pure LDAP/ADSI code so far.

The @PWAGE macro of KiXtart works. Can't seem to get the right info for KiXtart though using the LDAP/ADSI method of calls.

NTDOCAdministrator
(KiX Master)
2002-08-05 07:40 PM
Re: Password expiration for a service account

hmmm.... I'm starting to think this is not contained within the username object. Trying different names results in either name not found or not found in AD cache, etc...

When I get back to work and get time to check on it, I'll try a different approach, making the call perhaps using the RootDSE method if I can.

Chris S.
(MM club member)
2002-08-05 08:18 PM
Re: Password expiration for a service account

It (PasswordExpirationDate) is not, in fact, supported by the LDAP provider as referenced by: Provider Support of ADSI Interfaces.

It is supported by the WinNT provider, as well as MaxPasswordAge and PasswordAge. What if you used LDAP to grab the container you wanted to query to grab your 'user list' and then used the WinNT provider to determine password age using a method similar to my last post in this thread... get @pwage from user list and send notification e-mail?

Chris S.
(MM club member)
2002-08-05 08:46 PM
Re: Password expiration for a service account

Here, I've modified my code and tested it as much as I can without having AD here...

code:
$user = GetObject("LDAP://PDC.DOMAIN.com,ou=Accounts,ou=Users,ou=Service Account Users,ou=SQL Service Accounts,cn=ServiceSql")
;$user=getobject("WinNT://@domain")
$user.filter="User",""
for each $u in $user
	$objUser=getobject("WinNT://@domain/"+$u.name)
	? $objUser.name "	"
	$maxage = $objUser.MaxPasswordAge / (60*60*24)
	$psdage = $objUser.PasswordAge / (60*60*24)
	Select
	Case $maxage < $psdage
		"Password is expired."
	Case $maxage - $psdage < 7
		"Password will expire in 7 days or less."
	Case 1
		"Password age within parameters."
	Endselect
next

New Mexico Mark
(Hey THIS is FUN)
2002-08-05 09:22 PM
Re: Password expiration for a service account

Cool stuff. And (coincidentally) it relates to a question that just came up today.

I'd like to create a script (KiXtart or VBS) to "bump" a user's password expiration date up to three days from the current date. We don't have a AD... just NT/2K servers/clients.

Ideally, the script would be run (from a batch file) something like this:

kix32.exe bump.kix $User=%1 $Days=%2 (second parameter optional)

I searched the boards, but haven't come up with a solution yet.

Thanks,

Mark

Chris S.
(MM club member)
2002-08-05 09:53 PM
Re: Password expiration for a service account

Interesting question. So far as I can tell, the answer is yes & no. I tried this script as a test...

code:
$objUser=getobject("WinNT://@domain/testacnt")
? $objUser.name
? $objUser.PasswordExpirationDate
$objUser.PasswordExpirationDate = "10/30/1998 10:00:00 AM"
$objUser.Setinfo
$objUser=getobject("WinNT://@domain/testacnt")
? $objUser.name
? $objUser.PasswordExpirationDate
It changed the PasswordExpirationDate well enough, but not to the date I specified. It instead used the Default Schema property for MaxPasswordAge and pushed the expiration date out 90 days.

NTDOCAdministrator
(KiX Master)
2002-08-06 02:06 PM
Re: Password expiration for a service account

Thanks for the link Chris. I'll try to do some more testing in the next couple days. Lot of stuff to do besides scripting at work this week.

New Mexico Mark
(Hey THIS is FUN)
2002-08-06 02:57 PM
Re: Password expiration for a service account

Interesting... It gives me something to play with at any rate.

Thanks!

Mark

Kishe
(Lurker)
2006-03-03 09:54 AM
Re: Password expiration for a service account

i keep getting array of referense out of bounds

Arend_
(MM club member)
2006-03-03 12:19 PM
Re: Password expiration for a service account

Here I was thinking this whole topic was an active one so I put together a script. Nonetheless I'll post it anyway.

Code:

Function GetPwDaysleft($sDomain,$sUser)
  Dim $UserObj, $sAge, $sMax, $sTmp
  $UserObj = GetObject("WinNT://" + $sDomain  + "/" + $sUser)
  $sAge = $UserObj.PasswordAge
  $sMax = $UserObj.MaxPasswordAge
  $sTmp = $sMax - $sAge
  $GetPwDaysleft = $sTmp / (60*60*24)
EndFunction

? GetPwDaysleft(@ldomain,@userid)