我如何可以查询用户使用Active Directory中过期密码？ [英] How can I query users with an expired password in Active Directory?

问题描述

我需要查询Active Directory用户的列表，其密码即将到期。最明显的（易）的方式来做到这一点是：

I need to query Active Directory for a list of users whose password is about to expire. The obvious (and easy) way to do this is with:

dsquery user -stalepwd n

现在的问题是，我需要添加额外的过滤器，只寻找用户谁在某些安全组。这是很难做到的DSQUERY用户语法已经内置-stalepwd选项，所以我一直在使用的dsquery * - 筛选器选项，允许您使用LDAP查询语法。不幸的是，尽管其相对容易做应用其他过滤器使用LDAP查询，我有谁拥有一个密码年龄大于n麻烦过滤用户。

The problem is that I need to add additional filters to only look for users who are in certain security groups. This is hard to do with the "dsquery user" syntax that has the built-in -stalepwd option, so I've been using the "dsquery * -filter" option which allows you to use LDAP query syntax. Unfortunately, while its relatively easy to do apply the other filters with an LDAP query, I'm having trouble filtering users who have a password age greater than n.

有谁知道语法（或者如果它甚至有可能），以使用旧密码过滤器的dsquery * - 筛选器的方法，而不是DSQUERY用户-stalepwd的方法。

Does anyone know the syntax (or if it is even possible) to filter for old passwords using the "dsquery * -filter" method instead of the "dsquery user -stalepwd" method.

推荐答案

您可以编写一个LDAP查询由用户对象上比较pwdLastSet属性比较陈旧的口令：

You can write an LDAP Query that compares "stale" passwords by comparing the pwdLastSet attribute on the user object:

(&(objectClass=person)(objectClass=User)(pwdLastSet<=n))

ActiveDirectory的使用该时间标记一个非常特定的格式。我相信，一个文件的时间，但我会仔细查看网站上。

ActiveDirectory uses a very specific format for this time stamp. I believe it a file-time, but I would double check on the web.

这篇关于我如何可以查询用户使用Active Directory中过期密码？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！