How to get users with old passwords

We needed to find out who hasnt changed their password since 4/1/2007 (I know, for political reasons we cant force changes regularly).  So after doing some digging in the technet whitepages, I came up with this little command line:

dsquery user -stalepwd 1639 -limit 0 | dsget user -samid -mustchpwd -disabled > oldpw.txt

So for all the code. -stalepwd (number) is how many days from today in the past you want to check. 1639 days ago from today (9/26/2011) was 4/1/2011. Change to however many days you want. -limit is the number of results to return. You can limit it to a specific number, or setting to 0 returns all. Then we pipe it to the dsget command, and format the output with the logon name, if the account is set to “change password on next logon”, and if the account is disabled. If the account has never been logged onto, the date of last password will be 1/1/1601. So we wanted to remove those. The -disabled tells us which accounts are disabled (so we can remove them later). Then we pipe it all to a txt file. If you open that text file in excel, then choose delimited style, then next, then space as a delimiter, you will get a nice spreadsheet. You can then sort the rows and delete all the disabled “yes” accounts, and the mustchpwd “yes” accounts out. That will get you all passwords that havent been changed and are not expired or need to change next time you logon.

Filed under: Microsoft | Posted on September 26th, 2011 by CharlieMaurice

Leave a Reply

RSS Feed





Copyright © 2023 Charlie's Tech Ramblings. All rights reserved.

Tech Blue designed by Hive Designs • Ported by Free WordPress Themes