Today at the office I came across the article below and thought it was worth sharing. I used this tip to prepare for an organization wide password change that is coming up. By exporting the results to a  text file I was easily able to determine which accounts could be untouched, and which accounts needed to be changed. 

(http://serverfault.com/questions/226365/password-policy-vs-password-never-expires-question

To determine if there are any account passwords set to never expire you can use the command prompt and enter: 

dsquery * -filter "(&(objectCategory=person)(userAccountControl:1.2.840.113556.1.4.803:=65536))" -limit 0 

To disable the setting for everybody enter: 

dsquery *-filter "(&(objectCategory=person)(userAccountControl:1.2.840.113556.1.4.803:=65536))" -limit 0 | dsmod user -pwdneverexpires no

However, there might be accounts that don’t need their password expiration set, or that should be done manually. For that, I simply used the first command and added >> filename.txt so I could write all the accounts to a file. Using this text file you could determine which accounts (Like administrator, scanners, etc.) can be ignored at the moment. 

dsquery *-filter "(&(objectCategory=person)(userAccountControl:1.2.840.113556.1.4.803:=65536))" -limit 0 >> results.txt

 

 

 

Comment