Active Directory ( AD ) – Get User’s Password Expiration Date ( Using VBScript )

 

Background

Ever so often my Active Directory Account expiration date sneaks up on me.

And, I will like to proactively know ahead of time.

 

Code

Looked for code and here is one I found from here and there on Net.

VBScript


OPTION EXPLICIT


REM ***********************************************************

REM Referenced Work: 

'	REM Binding to Active Directory objects with the LDAP provider
'	REm http://www.rlmueller.net/LDAP_Binding.htm

'	REM Get the Distinguished Name for an Active Directory Object
'	REM https://gallery.technet.microsoft.com/scriptcenter/1a7111e3-3c15-4e29-ac3b-84d3ac46bd4c

'	REM How to find the Active Directory Path
'	REM https://leonelson.com/2010/09/08/how-to-find-the-active-directory-path/     

'	REM Power ASP VBscript Constants
'	REM http://powerasp.net/content/new/vbscript-constants.asp

'	REM VBScript Quit
'	REM https://ss64.com/vb/quit.html

REM ***********************************************************

REM on error resume next



Function distinguish(strObject, strType) 

    REM Get the Distinguished Name for an Active Directory Object
    REM https://gallery.technet.microsoft.com/scriptcenter/1a7111e3-3c15-4e29-ac3b-84d3ac46bd4c
    
    Dim objRootDSE
    Dim strDNSDomain
    Dim objConnection
    Dim objCommand
    Dim objRecordSet
    
    Select case strType 
        Case lcase("computer") 
            strobject = strobject & "$" 
        Case lcase("user") 
            'Good 
        Case lcase("group") 
            'Good 
        Case else 
            Wscript.Echo "Their is an error in the script" 
    End Select 
    
    ' Determine DNS domain name (this could be hard coded). 
    Set objRootDSE = getObject("LDAP://RootDSE") 
    strDNSDomain = objRootDSE.get("defaultNamingContext") 
     
    Const ADS_SCOPE_SUBTREE = 2 
     
    Set objConnection = createObject("ADODB.Connection") 
    Set objCommand = createObject("ADODB.Command") 
    objConnection.Provider = "ADsDSOObject" 
    objConnection.Open "Active Directory Provider" 
     
    Set objCOmmand.ActiveConnection = objConnection 
    objCommand.CommandText = _ 
    "Select distinguishedname, Name, Location from 'LDAP://" & strDNSDomain & _ 
    "' Where objectClass='" & strType & "' and samaccountname='" & strObject & "'" 
    objCommand.Properties("Page Size") = 1000 
    objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE  
    Set objRecordSet = objCommand.execute 
    objRecordSet.MoveFirst 
     
    Do Until objRecordSet.EOF 
       distinguish = objRecordSet.Fields("distinguishedname") 
       objRecordSet.MoveNext 
    Loop 
    
End Function    

Function Integer8Date(ByVal objDate, ByVal lngBias)

    ' Function to convert Integer8 (64-bit) value to a date, adjusted for
    ' local time zone bias.
    Dim lngAdjust, lngDate, lngHigh, lngLow
    lngAdjust = lngBias
    lngHigh = objDate.HighPart
    lngLow = objdate.LowPart
    ' Account for error in IADsLargeInteger property methods.
    If (lngLow < 0) Then
        lngHigh = lngHigh + 1
    End If
    If (lngHigh = 0) And (lngLow = 0) Then
        lngAdjust = 0
    End If
    lngDate = #1/1/1601# + (((lngHigh * (2 ^ 32)) _
        + lngLow) / 600000000 - lngAdjust) / 1440
    ' Trap error if lngDate is ridiculously huge.
    On Error Resume Next
    Integer8Date = CDate(lngDate)
    If (Err.Number <> 0) Then
        On Error GoTo 0
        Integer8Date = #1/1/1601#
    End If
    On Error GoTo 0
    
End Function


Function ADPasswordAge

	'========================================
	' First, get the domain policy.
	'========================================

    REM http://www.rlmueller.net/Programs/PwdLastSet.txt

    Dim objRootDSE
    Dim strDNSDomain
    Dim objDomain
    Dim objMaxPwdAge
    
    Dim lngHighAge
    Dim lngLowAge
    Dim sngMaxPwdAge
    
    REM http://www.rlmueller.net/Programs/PwdExpires.txt
    ' Determine domain maximum password age policy in days.
    Set objRootDSE = GetObject("LDAP://RootDSE")
    
    strDNSDomain = objRootDSE.Get("DefaultNamingContext")
    
    Set objDomain = GetObject("LDAP://" & strDNSDomain)
    Set objMaxPwdAge = objDomain.MaxPwdAge
    
    ' Account for bug in IADslargeInteger property methods.
    lngHighAge = objMaxPwdAge.HighPart
    lngLowAge = objMaxPwdAge.LowPart
    If (lngLowAge < 0) Then
        lngHighAge = lngHighAge + 1
    End If
    
    ' Convert from 100-nanosecond intervals into days.
    sngMaxPwdAge = -((lngHighAge * 2^32) _
                    + lngLowAge)/(600000000 * 1440)

                    
    ADPasswordAge = sngMaxPwdAge
    
End Function


Function localTimeBiasFromRegistry()


	' Retrieve user password information.
	' The pwdLastSet attribute should always have a value assigned,
	' but other Integer8 attributes representing dates could be "Null".
	' http://www.rlmueller.net/Programs/PwdLastSet.txt

    dim lngBias
    
    ' Obtain local time zone bias from machine registry.
    ' This bias changes with Daylight Savings Time.
    Dim objShell
    Dim lngBiasKey
    Dim k
	
	Const REGISTRY_KEY_ActiveTimeBias = "HKLM\System\CurrentControlSet\Control\TimeZoneInformation\ActiveTimeBias"
	
    Set objShell = CreateObject("Wscript.Shell")
    
	lngBiasKey = objShell.RegRead( REGISTRY_KEY_ActiveTimeBias)
	
    If (UCase(TypeName(lngBiasKey)) = "LONG") Then
        lngBias = lngBiasKey
    ElseIf (UCase(TypeName(lngBiasKey)) = "VARIANT()") Then
        lngBias = 0
        For k = 0 To UBound(lngBiasKey)
            lngBias = lngBias + (lngBiasKey(k) * 256^k)
        Next
    End If  
    
    localTimeBiasFromRegistry = lngBias

end function


function getUsername()

	Dim strUserName

	set objNetwork = CreateObject("WScript.Network")

		strUserName = objNetwork.UserName
		
	set objNetwork = Nothing

	getUsername = strUserName

end function


Dim objUser
Dim maxPwdAge
Dim numDays

Dim strDomainDN
Dim strOrganizationUnit
Dim strRelativeDistinguishedNameofContainer
Dim strDistinguishedNameSuffix
Dim strDistinguishedName
Dim strUser
Dim objNetwork
Dim strUserName
Dim strUserDN

Dim strLog

dim objDatePwdLastSet
dim dtmPwdLastSet
dim lngBias

Dim sngMaxPwdAge

Dim dtPasswordExpiry  

Dim strLDAP

Const PROTOCOL_IDENTIFIER_LDAP  = "LDAP://"   

strUserName = getUsername()

strDistinguishedName = distinguish(strUserName, "user")                         

strUserDN = PROTOCOL_IDENTIFIER_LDAP & strDistinguishedName
              
strLog = "strUserDN :- " + strUserDN

WScript.Echo strLog


strLDAP = strUserDN

Set objUser = GetObject(strUserDN)

if (objUser is Nothing) Then

    strLog = "GetObject failed on " & strLDAP
                    
    WScript.Echo strLog 

    strLog = "Err.Number is " _
                    & CSTR(Err.Number) _
                    & " & " _
                    & "Error Description is " & Err.Description _
                    & vbCr                      
                    
                    
    WScript.Echo strLog

    WScript.Quit 

end if

lngBias = localTimeBiasFromRegistry

If (TypeName(objUser.pwdLastSet) = "Object") Then

    Set objDatePwdLastSet = objUser.pwdLastSet
    
    dtmPwdLastSet = Integer8Date(objDatePwdLastSet, lngBias)
    
Else

    dtmPwdLastSet = #1/1/1601#
    
End If

strLog = "dtPwdLastSet :- " & CSTR(dtmPwdLastSet)

WScript.Echo strLog

sngMaxPwdAge = ADPasswordAge()

strLog = "sngMaxPwdAge :- " & CSTR(sngMaxPwdAge)
    
WScript.Echo strLog

dtPasswordExpiry = DateAdd("d",sngMaxPwdAge,dtmPwdLastSet) 

strLog = "dtPasswordExpiry " & CSTR(dtPasswordExpiry)
    
WScript.Echo strLog

'========================================
' Clean up.
'========================================
Set objUser = Nothing

Set maxPwdAge = Nothing


Invoke


cscript passwordExpirationDate.vbs

Output

Output – Image #1

Output – Image #2

 

GitHub

DanielAdeniji/ActiveDirectoryGetAccountPasswordExpirationDate
Link

Dedicated

Dedicated To …

  1. Richard Mueller ( Microsoft MVP )
  2. Devin H.
    • Get the Distinguished Name for an Active Directory Object
      Link

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s