cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Scott_M
Engaged Sweeper II

Looking for help with a custom action that tell me when the user last set their password or how close they are to expiring. How cool would that be?

Scott

6 REPLIES 6
pryan67
Champion Sweeper II

Well, you could always go to a command prompt and type in net user <username> /domain and it will tell you as well.

 

 

gbhsmis
Engaged Sweeper
i know this is old. but i cannot get this VB script to work.

I am a domain admin.

I think it's the LDP:// formating or something. I see where it has "LDP://" and I added my domain/LDP server there. Still nothing though. It just spins for a second, after I created the script and put it there, but nothing (even an error) pops up.
dteague
Engaged Sweeper III
It must be how access is in AD.

I am a "normal" user (no extra rights), and can pull all the info from AD as me.
Technut27
Champion Sweeper
I came across this a long time ago and finally had a need to do something like this. It sort of works for me, if I us it on my own user page it returns the information perfectly like in the screen shot. But if I try it on another user it returns an error.

Error: The directory property cannot be found in the cache.
Code: 8000500D
Source: Active Directory

Maybe a permissions issue because my user account I'm logged into my workstation is not a domain admin account and can't fully read AD?
chads
Lansweeper Alumni
Always enjoy finding these. such a cool action. Now only if instead of popping out a window separate from the lansweeper webpage and embedding the window result below the user would be awesome. but that would require a ton of work.
dteague
Engaged Sweeper III
If you search, you should find this code on here already, and you put it under User Actions as... {actionpath}acctstat.vbs "{cn}"

If WScript.Arguments.Count = 1 Then
struser = WScript.Arguments(0)
Set objUser = GetObject("LDAP://" & struser)
Const ADS_UF_DONT_EXPIRE_PASSWD = &h10000
Const ADS_ACETYPE_ACCESS_DENIED_OBJECT = &H6
Const CHANGE_PASSWORD_GUID = "{ab721a53-1e2f-11d0-9819-00aa0040529b}"
Set objSD = objUser.Get("nTSecurityDescriptor")
Set objDACL = objSD.DiscretionaryAcl
Set objUserLDAP = GetObject("LDAP://" & struser)
intCurrentValue = objUserLDAP.Get("userAccountControl")
strSAMAccountName = objUser.Get("sAMAccountName")
strCN = objUser.Get("cn")
Set objNet = CreateObject("WScript.NetWork")
dtmValue = objUserLDAP.PasswordLastChanged
intTimeInterval = int(now - dtmValue)
Set objDomainNT = GetObject("WinNT://" & objNet.UserDomain)
intMaxPwdAge = objDomainNT.Get("MaxPasswordAge")/86400
intMinPwdAge = objDomainNT.Get("MinPasswordAge")/86400

For Each Ace In objDACL
If ((Ace.AceType = ADS_ACETYPE_ACCESS_DENIED_OBJECT) And _
(LCase(Ace.ObjectType) = CHANGE_PASSWORD_GUID)) Then
blnEnabled = True
End If
Next


'Clear strMsg

strMsg = ""


'Account Disabled?

If objuser.AccountDisabled = True Then
MsgBox "This account is Disabled.",0,strCN & " (" & strSAMAccountName & ")"
Else


'Account Locked?

If objuser.IsAccountLocked = True Then
strMsg = strMsg & "This account is Enabled but Locked." & VbCrLf & VbCrLf
Else
strMsg = strMsg & "This account is Enabled and Not Locked." & VbCrLf & VbCrLf
End If


'Password Expires?

If intCurrentValue and ADS_UF_DONT_EXPIRE_PASSWD Then
strMsg = strMsg & "The Password Never Expires for this account due to account settings." & VbCrLf & _
" Password Changed: " & DateValue(dtmValue) & VBTab & int(now - dtmvalue) & " days ago" & VbCrLf & VbCrLf
Else

If intMaxPwdAge < 0 Then
strMsg = strMsg & "The Maximum Password Age is set to 0 in the domain. Therefore, the password does not expire." & VbCrLf & VbCrLf
Else


'Password Expired already?

If intTimeInterval >= intMaxPwdAge Then
strMsg = strMsg & "The password has Expired." & VbCrLf & _
" Password Changed: " & DateValue(dtmValue) & VBTab & int(now - dtmvalue) & " days ago" & VbCrLf & _
" Password Expires: " & DateValue(dtmValue + intMaxPwdAge) & VBTab & int(now - (dtmValue + intMaxPwdAge)) & " days ago" & VbCrLf & _
" (Maximum password age: " & intMaxPwdAge & " days)" & VbCrLf & VbCrLf
Else
strMsg = strMsg & "The password has Not Expired." & VbCrLf & _
" Password Changed: " & DateValue(dtmValue) & VBTab & int(now - dtmvalue) & " days ago" & VbCrLf & _
" Password Expires: " & DateValue(dtmValue + intMaxPwdAge) & VBTab & int((dtmValue + intMaxPwdAge) - now + 1) & " days from today" & VbCrLf & _
" (Maximum password age: " & intMaxPwdAge & " days)" & VbCrLf & VbCrLf
End If
End If
End If


'User can Change the Password?

If blnEnabled Then
strMsg = strMsg & strCN & " cannot change the password due to account settings."
Else
If intTimeInterval >= intMinPwdAge Then
strMsg = strMsg & strCN & " can change the password."
Else
strMsg = strMsg & strCN & " can change the password after " & DateValue(dtmValue) + intMinPwdAge & "." & VbCrLf & _
" (Minimum password age: "& intMinPwdAge & " days)"
End If
End If

'Display the Info

MsgBox strMsg,0,strCN & " (" & strSAMAccountName & ")"

End If

Else
WScript.Echo "Error"

End If

Set objNet = Nothing
Set objUser = Nothing
Set objSD = Nothing
Set objDACL = Nothing
Set objUserLDAP = Nothing
Set objDomainNT = Nothing