I need to query Active Directory for a list of users whose password is about to expire. The obvious (and easy) way to do this is with:
我需要在Active Directory中查询密码即将过期的用户列表。显而易见(并且简单)的方法是:
dsquery user -stalepwd n
The problem is that I need to add additional filters to only look for users who are in certain security groups. This is hard to do with the "dsquery user" syntax that has the built-in -stalepwd option, so I've been using the "dsquery * -filter" option which allows you to use LDAP query syntax. Unfortunately, while its relatively easy to do apply the other filters with an LDAP query, I'm having trouble filtering users who have a password age greater than n.
问题是我需要添加其他过滤器才能查找属于某些安全组的用户。这对于具有内置-stalepwd选项的“dsquery user”语法很难做到,所以我一直在使用“dsquery * -filter”选项,它允许您使用LDAP查询语法。不幸的是,虽然使用LDAP查询相对容易地应用其他过滤器,但我在过滤密码年龄大于n的用户时遇到问题。
Does anyone know the syntax (or if it is even possible) to filter for old passwords using the "dsquery * -filter" method instead of the "dsquery user -stalepwd" method.
有没有人知道使用“dsquery * -filter”方法而不是“dsquery user -stalepwd”方法过滤旧密码的语法(或者甚至可能)。
2 个解决方案
#1
3
You can write an LDAP Query that compares "stale" passwords by comparing the pwdLastSet attribute on the user object:
您可以编写一个LDAP查询,通过比较用户对象上的pwdLastSet属性来比较“陈旧”密码:
(&(objectClass=person)(objectClass=User)(pwdLastSet<=n))
ActiveDirectory uses a very specific format for this time stamp. I believe it a file-time, but I would double check on the web.
ActiveDirectory对此时间戳使用非常特定的格式。我相信它是一个文件时间,但我会仔细检查网络。
#2
1
There are better tools than dsquery to use.
有比dsquery更好的工具可供使用。
FindExpAcc from joeware will do the same as stalepwd and allow a filter through its -f switch.
来自joeware的FindExpAcc将与stalepwd一样,并允许通过其-f开关进行过滤。
The filter would then look like:
过滤器看起来像:
&(objectCategory=user)(memberof=CN=User Group,OU=Test,DC=foo,dc=com)
Also check out adfind and admod tools from joeware which are more powerful than the command line query tools from Microsoft, but can be a little harder to learn.
还可以查看来自joeware的adfind和admod工具,这些工具比Microsoft的命令行查询工具更强大,但可能有点难学。
#1
3
You can write an LDAP Query that compares "stale" passwords by comparing the pwdLastSet attribute on the user object:
您可以编写一个LDAP查询,通过比较用户对象上的pwdLastSet属性来比较“陈旧”密码:
(&(objectClass=person)(objectClass=User)(pwdLastSet<=n))
ActiveDirectory uses a very specific format for this time stamp. I believe it a file-time, but I would double check on the web.
ActiveDirectory对此时间戳使用非常特定的格式。我相信它是一个文件时间,但我会仔细检查网络。
#2
1
There are better tools than dsquery to use.
有比dsquery更好的工具可供使用。
FindExpAcc from joeware will do the same as stalepwd and allow a filter through its -f switch.
来自joeware的FindExpAcc将与stalepwd一样,并允许通过其-f开关进行过滤。
The filter would then look like:
过滤器看起来像:
&(objectCategory=user)(memberof=CN=User Group,OU=Test,DC=foo,dc=com)
Also check out adfind and admod tools from joeware which are more powerful than the command line query tools from Microsoft, but can be a little harder to learn.
还可以查看来自joeware的adfind和admod工具,这些工具比Microsoft的命令行查询工具更强大,但可能有点难学。