When I worked the IT department, a fair number of tickets were related to problems with a user’s password. Often it had expired and they were having issues resetting it and needed to logon immediately. If only they hadn’t waited until the last minute! Keeping on top of user passwords is terrific help desk practice. Knowing when a user’s password is going to expire can help you head off a call. Or you may simply need to audit passwords occasionally to identify potential password or security vulnerabilities.
One of the most important password checks you can make is to identify users with non-expiring passwords. I’m assuming this is the exception rather than the rule in your organization. One easy way to identify these accounts is with the Active Directory Users and Computers management console. If you install the Remote Server Administration Tools (RSAT) on your Windows 7 desktop you can accomplish this from your desk and never have to logon to a domain controller.
At the top of the navigation pane you should see an entry for Saved Queries. Right-click and choose New – Query. In the dialogue box enter a name and description. The query defaults to searching the domain root but if you want to limit it to a specific OU, click Browse and navigate to the OU you want to search.
Next, click the Define Query button. This will bring up a dialog box that you can use to create all sorts of queries. On the Users tab under Common Queries you should see a check box for Non-Expiring passwords. That’s what we want. Check it.
Click OK twice and after a moment or two you should get results.
You can manage the users in the results panel like any other user account. By the way, the query you created only works on the current machine. If there are other administrators who need to see this information, they don’t have to re-invent the wheel. Right click on your query and choose Export Query Definition. Save the query to an XML file. The other administrators simply need to Import the saved query on their desktop.
If you have a domain controller that supports the Microsoft Active Directory PowerShell provider, that is to say it must be running the Active Directory Web Services service, you have even more options.
| What Are You Talking About?Microsoft Windows Server 2008 R2 introduced a new approach for managing Active Directory. Any R2 domain controller now runs an Active Directory web service for remote management. Microsoft also released a set of PowerShell cmdlets and a provider for connecting to this service and administering your domain. These cmdlets are also available on Windows 7 when you install the Remote Server Administration Tools and turn on the Active Directory feature. If you do not have an R2 domain controller, you can freely download the Active Directory Management Gateway service from Microsoft and install it on Windows 2003 and later domain controllers. Be aware that installation will require a reboot. But once installed, you can use the PowerShell features from Windows 7 to manage your legacy domains. |
I’ll assume you have RSAT installed on Windows 7. Go to Administrative Tools – Active Directory Administrative Center. This is a new management console for managing via the AD web service. Click the link for your domain or navigate your way to the OU you want to manage. Now we can start filtering.
Because I typically only care about enabled accounts, let’s first make sure we get them. Click Add Criteria and then choose “Users with disabled/enabled accounts”. Also check “Users whose password has expiration date/no expiration date” and click Add. These settings are toggles so you might need to change them. If the disable/enable filter is set to disable, click the link and select enabled. If you want to search the entire domain then use the Global Search link. The settings are the same. After you have made your choices, click Search.
You can manage individual accounts by double clicking them or using the Task pane. I recommend clicking the diskette icon and saving the query for the next time you open the management console. Unfortunately, I have not found a good way to share queries or filters among administrators. The best solution I have found is to click the Convert to LDAP, copy the query and paste it into a text file. Other administrators can paste the query into to a new session and then save their copy locally.
Another query you might find helpful is enabled accounts with expired passwords. Click Clear to start over and add the filtering criteria
The last query that I find especially helpful is identifying users whose password will expire in the next X number of days. Imagine coming in to work on Monday morning and getting a list of users with passwords set to expire the upcoming week. You could take pro-active measures to ensure a smooth update which should make everybody happy.
Clear any search criteria. Add criteria for disabled/enabled accounts and “User with a password expiring in a given number of days.” Verify you are searching for enabled accounts and enter in a value for the number of days. I’ll say it is Monday so I’ll enter 5. Within moments I can see who I need to work with this week.
Unfortunately, there is no way to print, export or otherwise save this information. However, the Administrative Center is actually sitting on top of PowerShell so can bypass the GUI and retrieve information directly from a PowerShell session.
