PaulDotCom mailing list archives
WMIC help
From: herrasher at gmail.com (Kennith Asher)
Date: Fri, 12 Jun 2009 10:10:25 -0700
Thanks Tim, and thanks again to all of you who replied. Ken On Fri, Jun 12, 2009 at 4:52 AM, Tim Mugherini <gbugbear at gmail.com> wrote:
I like the idea of powershell (havn't had much time to play with it). Anyways this vbs is tested against my envrionment. Three pop-ups. Age of password. Current Password Age Policy. And Expire Date. You can tweak it the way you see fit. Just edit the LDAP query and Set objDomainNT with appropiate user, OU, and domain name. Const SEC_IN_DAY = 86400 Const ADS_UF_DONT_EXPIRE_PASSWD = &h10000 Set objUserLDAP = GetObject _ ("LDAP://CN=user,OU=ou,DC=domain,DC=com") intCurrentValue = objUserLDAP.Get("userAccountControl") If intCurrentValue and ADS_UF_DONT_EXPIRE_PASSWD Then wscript.echo "The password does not expire." Else dtmValue = objUserLDAP.PasswordLastChanged Wscript.echo "The password was last changed on " & _ DateValue(dtmValue) & " at " & TimeValue(dtmValue) & VbCrLf & _ "The difference between when the password was last set" & VbCrLf & _ "and today is " & int(now - dtmValue) & " days" intTimeInterval = int(now - dtmValue) Set objDomainNT = GetObject("WinNT://domain") intMaxPwdAge = objDomainNT.Get("MaxPasswordAge") If intMaxPwdAge < 0 Then WScript.Echo "The Maximum Password Age is set to 0 in the " & _ "domain. Therefore, the password does not expire." Else intMaxPwdAge = (intMaxPwdAge/SEC_IN_DAY) Wscript.echo "The maximum password age is " & intMaxPwdAge & " days" If intTimeInterval >= intMaxPwdAge Then Wscript.echo "The password has expired." Else Wscript.echo "The password will expire on " & _ DateValue(dtmValue + intMaxPwdAge) & " (" & _ int((dtmValue + intMaxPwdAge) - now) & " days from today" & ")." End If End If End If On Fri, Jun 12, 2009 at 1:24 AM, Jody & Jennifer McCluggage < j2mccluggage at adelphia.net> wrote:You should be able to get at this using ADSI (Active Directory Services Interfaces). You can probably script this with PowerShell using either ADSI or the free Quest Active Directory snap-in. I think something roughly like this may get at it: [adsi]?WinNT://ComputerName?.psbase.children | where {$_.pbase.schemaclassname ?eq ?user?} | foreach { $_.name ; $_.AccountExpirationDate.value } This should return the password expiration date for all user objects (this is just a rough guess and has not been tested to see if it works). I will play with this a bit when I am back in the office. Jody ------------------------------ *From:* pauldotcom-bounces at mail.pauldotcom.com [mailto: pauldotcom-bounces at mail.pauldotcom.com] *On Behalf Of *Brian Gray *Sent:* Thursday, June 11, 2009 4:39 PM *To:* PaulDotCom Security Weekly Mailing List *Subject:* Re: [Pauldotcom] WMIC help I realize it's not wmic but wouldn't it be just as simple to use something like net user username /dom | find "Password expires" Maybe you need wmic for a specific reason I don't know... I believe as long as you are logging in as a user within that domain it should pull the information without issue. I can think of a dozen other ways depending on what the end result you are looking for is. On Thu, Jun 11, 2009 at 12:46 PM, Raffi Jamgotchian < raffi at flossyourmind.com> wrote: i've used VBscript to do it. If you're interested, Ill dig it out. it was run against the domain controller if I remember correctly. On Jun 11, 2009, at 12:42 PM, Michael Douglas wrote:Bah. This doesn't work... you have to enter the actual user's password. Sorry for the bum advice! - Mick On Wed, Jun 10, 2009 at 8:55 PM, Michael Douglas<mick at pauldotcom.com> wrote:If you're an admin, you should be able to force the wmic check to happen in the scope of another user. wmic /user:"domain\user" netlogin get passwordexpires (note you'll likely need to keep the quotes in the line above. wmic is very picky about global flag values.) I believe this will work... But I'm not VPNed into my lab at work right now to test and see. Please let us know if this works as you wanted it to. My answers might be wrong, but they're FAST! ;-) - Mick On Wed, Jun 10, 2009 at 4:29 PM, Kennith Asher<herrasher at gmail.com> wrote:Hey all you WMIC gurus out there. I'm trying to find a straightforward means of identifying when a domain user's password will expire. Is there a modifier or switch I can set to bring back password expiry for another domain user? I know I can use: Wmic netlogin get passwordexpires to find when my password expires, can this be done for another domain user? Assume I have admin privileges. Oh, and just so that we're clear here, this is for the domain we use at work, I am doing this on behalf of a user I support. Thanks, Ken _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com -- -Brian W. Gray No virus found in this incoming message. Checked by AVG - www.avg.com Version: 8.5.364 / Virus Database: 270.12.64/2170 - Release Date: 06/11/09 17:59:00 _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
-------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090612/eecebfa2/attachment.htm
Current thread:
- WMIC help Kennith Asher (Jun 10)
- WMIC help Michael Douglas (Jun 10)
- WMIC help Kennith Asher (Jun 11)