{"id":69033,"date":"2005-09-02T19:08:00","date_gmt":"2005-09-02T19:08:00","guid":{"rendered":"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2005\/09\/02\/how-can-i-return-a-list-of-all-the-users-whose-user-account-never-expires\/"},"modified":"2005-09-02T19:08:00","modified_gmt":"2005-09-02T19:08:00","slug":"how-can-i-return-a-list-of-all-the-users-whose-user-account-never-expires","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/scripting\/how-can-i-return-a-list-of-all-the-users-whose-user-account-never-expires\/","title":{"rendered":"How Can I Return a List of All the Users Whose User Account Never Expires?"},"content":{"rendered":"

 <\/P>\"Hey, \n

Hey, Scripting Guy! How can I return a list of all the users whose user account never expires?

— PG<\/P>\"Spacer\"\"Hey,\"Script<\/A> \n

Hey, PG. You know, no one – not even his own mother! – has ever claimed that the Scripting Guy who writes this column is a genius. Needless to say, then, the first time he read this question he thought it said, \u201cHow can I return a list of all the users<\/I> who never expire?\u201d Having once served as a system administrator, the idea of having users who never expired, users who would continue to live – and to torment – their system administrators forever and ever was truly frightening. Fortunately, though, you were just talking about user accounts<\/I> and not the users themselves.<\/P>\n\n<\/THEAD>\n\n\n
\n

Note<\/B>. We should clarify that this Scripting Guy never wanted any of his users to die, not even the one who reformatted her hard drive because she read somewhere that doing so would remove all the old files that she didn\u2019t use anymore. Well, it did.<\/P><\/TD><\/TR><\/TBODY><\/TABLE>\n

<\/DIV>\n

For some reason, this calls to mind an episode of The Simpsons<\/I> where Bart – saying his evening prayers – asks God to kill Sideshow Bob. \u201cBart!\u201d said his mother. \u201cYou don\u2019t ask God to kill people!\u201d \u201cThat\u2019s right,\u201d added Homer, \u201cyou do your own killing.\u201d<\/P>\n

Fortunately, no one has to be harmed in any way in order for us to get back a list of all the user accounts that never expire. In fact, all you have to do is run a script similar to this:<\/P>

On Error Resume Next<\/p>\n
Const ADS_SCOPE_SUBTREE = 2<\/p>\n
Set objConnection = CreateObject(“ADODB.Connection”)\nSet objCommand =   CreateObject(“ADODB.Command”)\nobjConnection.Provider = “ADsDSOObject”\nobjConnection.Open “Active Directory Provider”\nSet objCommand.ActiveConnection = objConnection<\/p>\n
objCommand.Properties(“Page Size”) = 1000\nobjCommand.Properties(“Searchscope”) = ADS_SCOPE_SUBTREE <\/p>\n
objCommand.CommandText = _\n    “SELECT AdsPath FROM ‘LDAP:\/\/dc=fabrikam,dc=com’ WHERE objectCategory=’user'”\nSet objRecordSet = objCommand.Execute<\/p>\n
objRecordSet.MoveFirst\nDo Until objRecordSet.EOF\n    Set objUser = GetObject(objRecordSet.Fields(“AdsPath”).Value)<\/p>\n
    If objUser.AccountExpirationDate = “1\/1\/1970” Or Err.Number = -2147467259 Then\n        Wscript.Echo objUser.Name\n    End If<\/p>\n
    objRecordSet.MoveNext\nLoop\n<\/PRE>\n
We should point out that we took a bit of a shortcut here, a shortcut that makes the script easier to write and easier to understand, but one that does<\/I> make the script a tad bit slower and a little less efficient. Although there are two different properties that can be used to determine whether a user account expires or not – accountExpires<\/B> and accountExpirationDate<\/B> – neither one is a simple yes\/no kind of value: yes the user account will expire someday, no the user account will never expire. Instead, each property contains a value that either indicates the date that the account expires or the fact that the account will not expire. Because accountExpires is a large integer value that tracks time via the number of nanoseconds that have expired since January 1, 1601, we decided to skip that whole mess and use accountExpirationDate instead.<\/P>\n
Not that this totally solves all our problems, mind you. Technically, accountExpirationDate is not even an attribute of a user account; instead, it\u2019s an Active Directory property method. When you ask for the accountExpirationDate, ADSI will actually grab the value of the accountExpires attribute and convert it to a real date. That\u2019s the good news: when you ask for accountExpirationDate you\u2019ll get back a real<\/I> date-time value, not the number of nanoseconds that have expired since January 1, 1601. The bad news? Because accountExpirationDate isn\u2019t a hard-coded user account attribute you can\u2019t use ADO to search for accounts based on that attribute.<\/P>\n
Having fun yet? Now, we could<\/I> create a somewhat complicated script and do a search using the accountExpires attribute. Being the Scripting Guys, however, we opted to take the easy way out. Instead of retrieving only those user accounts where accountExpires is equal to a certain value, we decided to retrieve all<\/I> the user accounts, then bind to each individual account and use accountExpirationDate to determine whether the account expires. Like we said, this is not the optimal way to do things; your script will<\/I> take a bit longer to run. (Although, depending on the number of users you have, \u201ca bit longer\u201d might only be a few seconds.) However, this script is much easier to write, and thus much easier for you to use and modify.<\/P>\n
Wait a second: we aren\u2019t done just yet. There\u2019s one more issue we have to deal with. How do we know whether or not a user account will expire? Well, if accountExpirationDate is set to January 1, 1970 then the account will never expire. (Weird, but true.) Unfortunately, though, that\u2019s not the only way to determine whether or not a user account is configured to never expire. An account also doesn\u2019t expire if no accountExpirationDate has been set. You find out accountExpirationDate has no value when you try to access this attribute and get back error number -2147467259 (the much-beloved \u201cUnspecified error\u201d error). That means for each account we need to determine whether accountExpirationDate is set to January 1, 1970 or<\/I> whether we get back error number -2147467259 when trying to get the value of accountExpirationDate. That\u2019s what this block of code is for:<\/P>
If objUser.AccountExpirationDate = “1\/1\/1970” Or Err.Number = -2147467259 Then\n    Wscript.Echo objUser.Name\nEnd If\n<\/PRE>\n
If either of our criteria is true, we echo back the user name; we do that because this is an account that does not expire. If neither criteria is true then we do nothing at all; that\u2019s because this account does<\/I> expire, and all we care about here are those accounts that never expire.<\/P>\n
Well, at least that<\/I> part is simple.<\/P>\n
There\u2019s obviously more to the script than just this simple block of code, but the remainder is pretty much a run-of-the-mill Active Directory search script. If you need more information about searching Active Directory, take a look at our two-part Tales from the Script<\/I> series Dude, Where\u2019s My Printer?<\/B><\/A> That should give you a good explanation of what the rest of the script does.<\/P>\n\n<\/THEAD>\n\n\n
\n
Disclaimer<\/B>. No users were harmed during the making of today\u2019s column. We aren\u2019t saying we weren\u2019t tempted (like, say, the user who uninstalled Microsoft Word because he was finished using it for the day) but \u2026.<\/P><\/TD><\/TR><\/TBODY><\/TABLE>\n
<\/DIV>
\n
\n\n\n\n
\"Top<\/A>Top of page<\/A><\/TD><\/TR><\/TBODY><\/TABLE><\/DIV><\/p>\n","protected":false},"excerpt":{"rendered":"
  Hey, Scripting Guy! How can I return a list of all the users whose user account never expires?— PG Hey, PG. You know, no one – not even his own mother! – has ever claimed that the Scripting Guy who writes this column is a genius. Needless to say, then, the first time he […]<\/p>\n","protected":false},"author":595,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[7,3,63,20,5],"class_list":["post-69033","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting","tag-active-directory","tag-scripting-guy","tag-security","tag-user-accounts","tag-vbscript"],"acf":[],"blog_post_summary":"
  Hey, Scripting Guy! How can I return a list of all the users whose user account never expires?— PG Hey, PG. You know, no one – not even his own mother! – has ever claimed that the Scripting Guy who writes this column is a genius. Needless to say, then, the first time he […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/69033","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/595"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=69033"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/69033\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=69033"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=69033"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=69033"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}