{"id":51423,"date":"2010-02-02T00:01:00","date_gmt":"2010-02-02T00:01:00","guid":{"rendered":"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2010\/02\/02\/hey-scripting-guy-can-i-query-active-directory-for-users-whose-passwords-dont-expire\/"},"modified":"2010-02-02T00:01:00","modified_gmt":"2010-02-02T00:01:00","slug":"hey-scripting-guy-can-i-query-active-directory-for-users-whose-passwords-dont-expire","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/scripting\/hey-scripting-guy-can-i-query-active-directory-for-users-whose-passwords-dont-expire\/","title":{"rendered":"Hey, Scripting Guy! Can I Query Active Directory for Users Whose Passwords Don't Expire?"},"content":{"rendered":"

 \"Bookmark<\/a><\/p>\n

 <\/p>\n

\"Hey,<\/p>\n

Hey, Scripting Guy! I am interested in using Windows PowerShell to query Active Directory. We have deployed Windows Server 2008 R2 on our domain, and upgraded one of our domain controllers. I would like to be able to query for a list of all users whose passwords do not expire. When I did a Bing search, I was able to find an old Hey, Scripting Guy! post<\/font><\/a> that talks about finding users without expiring passwords, but it was written in VBScript and appears pretty complicated. Is there an easy way to migrate this script to Windows PowerShell 2.0?<\/p>\n

— VN<\/p>\n

\n

 <\/p>\n

\"Hey,Hello VN, <\/p>\n

Microsoft Scripting Guy Ed Wilson here. The Scripting Wife bought me a new stainless steel teapot. I, um, kept breaking the previous teapots she bought. Whoops. I decided to test my new tea pot in preparation for a meeting with the people from PoshCode.org about hosting the 2010 Scripting Games. I made a nice green tea with cinnamon stick and lemon grass. It worked out well, and the meeting went smoothly. We have already begun to announce the 2010 Scripting Games, and registration for the games will be open soon. We are returning the competitive aspect to the games, because it seems scripters are a bloodthirsty lot and want to know who is the best. There will be all kinds of cool prizes and a grand prize for the best scripter who enters the games. We will have certificates, and a script-off if the games are tied at the end. Our partnership with the Microsoft MVPs at PoshCode.org is really beginning to pay off. Stay tuned for more details. If you are on Twitter<\/a>, create a filter for #2010sg to quickly find the 2010 Scripting Games details when they become available. <\/p>\n

To find all of the users in an Organizational Unit (OU) as well as all of the users in child OUs, you need to specify the searchbase<\/b>. A VBScript that will list all of the users in an OU and in all of the child OUs was the feature of a Hey, Scripting Guy! post several years ago<\/font><\/a>. That script required 17 lines of code to perform the query. In Windows PowerShell 2.0, using the Active Directory module from the Windows Server 2008 R2 Remote Server Admin Tools<\/a> (RSAT), it is a single line of code. After you have imported the ActiveDirectory<\/b> module by using the Import-Module<\/b> cmdlet, you can use the Get-ADUser<\/b> cmdlet to search and retrieve all of the users from a specific organizational unit (OU). <\/p>\n

For more information about installing the RSAT tools on Windows 7 and using the ActiveDirectory<\/b> module, refer to last Monday’s Hey Scripting Guy! post<\/a>.<\/p>\n

To retrieve all of the users from a specific location, supply the wild card character (“*”) to the -filter<\/b> parameter. To search recursively beginning at a particular location in Active Directory, use the –searchbase<\/b> parameter. The beginning search location must be supplied to the –searchbase<\/b> parameter as a distinguished name value. If you are unsure about what the distinguished name of a particular OU is, you can look it up in the ADSI Edit utility. Most of the time, you will find a link to ADSI Edit in the administrative tools folder. If, for some reason, the shortcut is unavailable, you can always create a custom Microsoft Management Console (MMC) that contains it. To open a blank MMC this, click Start<\/b>, type mmc<\/span> in the Search box, and then press ENTER. Or click Start<\/b>, click Run<\/b>, type mmc<\/span>, and click OK<\/b>. <\/p>\n

After you have an empty MMC, you can click Add\/Remove Snap-in<\/b> on the File<\/b> menu, select ADSI Edit<\/b> on the Available Snap-ins list, click Add<\/b>, and then click OK<\/b>. After you have ADSI Edit added to your MMC, right-click ADSI Edit<\/b>, click Connect-To<\/b>, and choose the Default Naming Context<\/b>. Use the arrows on the left to navigate to the OU you are interested in querying. After you have found the OU you want to query, right-click it and then click Properties<\/b> in the shortcut menu. The dialog box appears that is shown in the following image. <\/p>\n

\"Image<\/p>\n

When you have access to all the attributes associated with the organizationalunit<\/b> object in AD, you can double-click the distinguishedName<\/b> attribute to get a better look at the value. The dialog shown in the following image appears. <\/p>\n

\"Image<\/a><\/p>\n

To avoid typing a long and convoluted distinguishedname<\/b> (DN), I will often copy the DN value directly from the dialog box and paste it into the Windows PowerShell console by right-clicking. The completed command is seen here:<\/p>\n

PS C:> Get-ADUser -Filter * -SearchBase “ou=hsg_TestOU,DC=nwtraders,dc=com”<\/p>\n

DistinguishedName : CN=HSG_TestChild,OU=HSG_TestOU1,OU=HSG_TestOU,DC=NWTraders,DC=Com
Enabled           <\/span>: False
GivenName         <\/span>:
Name              <\/span>: HSG_TestChild
ObjectClass       <\/span>: user
ObjectGUID        <\/span>: 4ffd4a5a-74f3-41ee-ae89-bbb8bd1bd915
SamAccountName    <\/span>: HSG_TestChild
SID               <\/span>: S-1-5-21-3746122405-834892460-3960030898-1161
Surname           <\/span>:
UserPrincipalName :<\/p>\n

DistinguishedName : CN=hsgUserGroupTest,OU=HSG_TestOU,DC=NWTraders,DC=Com
Enabled           <\/span>: False
GivenName         <\/span>:
Name              <\/span>: hsgUserGroupTest
ObjectClass       <\/span>: user
ObjectGUID        <\/span>: b18e4543-36d5-48e3-b477-389a84ef2d1e
SamAccountName    <\/span>: hsgUserGroupTest
SID               <\/span>: S-1-5-21-3746122405-834892460-3960030898-1193
Surname           <\/span>:
UserPrincipalName :<\/p>\n

<\/font><\/span><\/p>\n

By default, the Get-ADUser<\/b> cmdlet will automatically recurse through all of the child OUs. If you do not want to recurse through the child OUs because you are only interested in users from a specific OU, you need to modify the –searchScope<\/b> parameter. There are actually three values you can supply for the searchscope<\/b> parameter: base<\/b>, onelevel<\/b>, and subtree<\/b>. By default, the Get-ADUser<\/b> cmdlet will use the searchscope<\/b> of subtree<\/b> (which means to recurse); therefore, there is no need to supply that value. A base searchscope<\/b> means the query will not enter the searchBase<\/b>, and in this example does not return any users. A searchScope<\/b> of onelevel<\/b> means the search will go into the SearchBase<\/b> OU, and in this example, one user is returned:<\/p>\n

PS C:> Get-ADUser -Filter * -SearchBase “ou=hsg_TestOU,DC=nwtraders,dc=com” -searchscope onelevel<\/p>\n

DistinguishedName : CN=hsgUserGroupTest,OU=HSG_TestOU,DC=NWTraders,DC=Com
Enabled           <\/span>: False
GivenName         <\/span>:
Name              <\/span>: hsgUserGroupTest
ObjectClass       <\/span>: user
ObjectGUID        <\/span>: b18e4543-36d5-48e3-b477-389a84ef2d1e
SamAccountName    <\/span>: hsgUserGroupTest
SID               <\/span>: S-1-5-21-3746122405-834892460-3960030898-1193
Surname           <\/span>:
UserPrincipalName :<\/p>\n

PS C:><\/p>\n

<\/font><\/span><\/p>\n

The hierarchy we are searching, as viewed from Active Directory Users and Computers, is seen in the following image.<\/p>\n

\"Image<\/a><\/p>\n

One of the really cool things you can do with the AD DS cmdlets is use the –LDAPFilter<\/b> parameter. For example, with the Get-ADUser<\/b> cmdlet, perhaps you would like to retrieve all of the users who have a password that does not expire. A Hey, Scripting Guy! post from several years ago<\/font><\/a> included such a script. In the script, there was a rather complicated LDAP query that returned the users whose password does not expire. The applicable portion of the script is seen here:<\/p>\n

objCommand.CommandText = _
    <\/span>“<LDAP:\/\/dc=fabrikam,dc=com>;” & _
        <\/span>“(&(objectCategory=User)(userAccountControl:1.2.840.113556.1.4.803:=65536));” & _
            <\/span>“Name;Subtree”<\/p>\n

<\/font><\/span><\/p>\n

An LDAP dialect query is made up of four portions. The first portion is the location of the LDAP query; the second is the LDAP filter; the third portion is the properties to return; and the last is the search scope. With the Get-\nADUser<\/b> cmdlet, we have parameters for each of those four parameters. We are therefore only interested in the LDAP filter query seen here:<\/p>\n

<\/span><\/p>\n

“(&(objectCategory=User)(userAccountControl:1.2.840.113556.1.4.803:=65536));”<\/p>\n

<\/font><\/span><\/p>\n

When copying the LDAP filter query, do not include the trailing semicolon. That is an artifact of the previous query; each portion of an LDAP dialect query is separated by semicolons. The query goes directly into the parameter. There is no need to escape anything with extra quotation marks or anything else. The following command is a single-line command that will wrap when typed into the Windows PowerShell console. It accomplishes in one line the same thing the earlier Scripting Guy VBScript took 17 lines to do:<\/p>\n

<\/span><\/p>\n

PS C:> Get-ADUser -SearchBase “dc=nwtraders,dc=com” -searchscope subtree -ldapfilter “(&(objectCategory=User)(userAccountControl:1.2.840.113556.1.4.803:=65536))”<\/p>\n

DistinguishedName : CN=Guest,CN=Users,DC=NWTraders,DC=Com
Enabled           <\/span>: False
GivenName         <\/span>:
Name              <\/span>: Guest
ObjectClass       <\/span>: user
ObjectGUID        <\/span>: 5b0b1ce3-808f-4976-b80e-356adc1dc7e6
SamAccountName    <\/span>: Guest
SID               <\/span>: S-1-5-21-3746122405-834892460-3960030898-501
Surname           <\/span>:
UserPrincipalName :<\/p>\n

DistinguishedName : CN=another User,OU=HSG_TestOU,DC=NWTraders,DC=Com
Enabled           <\/span>: True
GivenName         <\/span>: another
Name              <\/span>: another User
ObjectClass       <\/span>: user
ObjectGUID        <\/span>: f8315b67-ee23-486d-9bfc-a5e118f0392a
SamAccountName    <\/span>: anotherUser
SID               <\/span>: S-1-5-21-3746122405-834892460-3960030898-1202
Surname           <\/span>: User
UserPrincipalName : anotherUser@NWTraders.Com<\/p>\n

DistinguishedName : CN=AHappy Camper,OU=HSG_TestOU,DC=NWTraders,DC=Com
Enabled           <\/span>: True
GivenName         <\/span>: AHappy
Name              <\/span>: AHappy Camper
ObjectClass       <\/span>: user
ObjectGUID        <\/span>: 6852f2bc-37d5-46b5-b6da-4365c7009dfc
SamAccountName    <\/span>: AHappyCamper
SID               <\/span>: S-1-5-21-3746122405-834892460-3960030898-1203
Surname           <\/span>: Camper
UserPrincipalName : AHappyCamper@NWTraders.Com<\/p>\n

PS C:><\/p>\n

<\/font><\/span><\/p>\n

 <\/p>\n

VN, that is all there is to using the AD DS cmdlets to search User objects. Searching Active Directory Week will continue tomorrow. <\/p>\n

If you want to know exactly what we will be discussing tomorrow, follow us on Twitter<\/a> or Facebook<\/font><\/a>. If you have any questions, send e-mail to us at scripter@microsoft.com<\/font><\/a> or post your questions on the Official Scripting Guys Forum<\/a>. See you tomorrow. Until then, peace.<\/p>\n

 <\/p>\n<\/p>\n

Ed Wilson and Craig Liebendorfer, Scripting Guys<\/p>\n

<\/span><\/b><\/p>\n

 <\/p><\/p>\n","protected":false},"excerpt":{"rendered":"

    Hey, Scripting Guy! I am interested in using Windows PowerShell to query Active Directory. We have deployed Windows Server 2008 R2 on our domain, and upgraded one of our domain controllers. I would like to be able to query for a list of all users whose passwords do not expire. When I did […]<\/p>\n","protected":false},"author":595,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[7,3,8,45],"class_list":["post-51423","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting","tag-active-directory","tag-scripting-guy","tag-searching-active-directory","tag-windows-powershell"],"acf":[],"blog_post_summary":"

    Hey, Scripting Guy! I am interested in using Windows PowerShell to query Active Directory. We have deployed Windows Server 2008 R2 on our domain, and upgraded one of our domain controllers. I would like to be able to query for a list of all users whose passwords do not expire. When I did […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/51423","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/595"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=51423"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/51423\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=51423"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=51423"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=51423"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}