The dsquery command is useful for obtaining information about objects located within an Active Directory environment. With the ability to implement a wide range of filters, this command is beneficial for obtaining specific information. One use case for this tool is to obtain a list of users within a certain OU who have not changed their password within a specified number of days. Using the parameter ‘-stalepwd’, we are able to determine which user accounts have not changed their password in a certain amount of time. Using the known variable of how many days a user has before expiration, we can calculate which users will have to change their password within a specified time frame.
- (Allowed expiration time) – (Specified expiration time) = Password age used to search
In this scenario, the environment requires a password change every 45 days. In order to see who will need to change their password in the next ten days, the query should be written to look for accounts who have not changed their password in 35 days.
- (45 day expiration policy) – (10 days remaining in results) = Variable of ‘35’ used in the query
To determine the proper syntax for the OU being checked, we can use Active Directory Users and Computers to obtain the distinguished name. Right click the OU, open the properties, select ‘Attribute Editor’, and locate the distinguishedName:
With the distinguished name and ‘stalepwd’ variable now known, we can form our syntax:
- ‘dsquery user OU=Finance,DC=xyz,DC=local -o rdn -stalepwd 35’
This command will output a list of relative distinguished names in the OU Finance that have not changed their password in the past 35 days:
We now know that Bruce and George have not changed their password in the past 35 days and that, if a new policy were put in place that requires a password change every 35 days or less, they would be immediately required to change their password. In this example, the results tell us that Bruce and George have not changed their password in 35 days or longer. This means that both Bruce and George have 10 days or less before they will need to change their password.
This syntax is primarily useful during policy development periods with customers who are creating their customized password policies and expiration lengths within the nFront Password Filter and Expiration Service. The expiration service is capable of notifying users with intermittent warnings as they approach their expiration. Using dsquery could help those writing the new customized password policies have an understanding of how many users will be impacted by a policy change based on password age prior to implementing it.