Home page logo
/

pauldotcom logo PaulDotCom mailing list archives

WMIC help
From: gbugbear at gmail.com (Tim Mugherini)
Date: Fri, 12 Jun 2009 07:52:51 -0400

I like the idea of powershell (havn't had much time to play with it).

Anyways this vbs is tested against my envrionment. Three pop-ups. Age of
password. Current Password Age Policy. And Expire Date. You can tweak it the
way you see fit.

Just edit the LDAP query and Set objDomainNT with appropiate user, OU, and
domain name.

Const SEC_IN_DAY = 86400
Const ADS_UF_DONT_EXPIRE_PASSWD = &h10000

Set objUserLDAP = GetObject _
  ("LDAP://CN=user,OU=ou,DC=domain,DC=com")
intCurrentValue = objUserLDAP.Get("userAccountControl")

If intCurrentValue and ADS_UF_DONT_EXPIRE_PASSWD Then
  wscript.echo "The password does not expire."
Else
  dtmValue = objUserLDAP.PasswordLastChanged
  Wscript.echo "The password was last changed on " & _
  DateValue(dtmValue) & " at " & TimeValue(dtmValue) & VbCrLf & _
  "The difference between when the password was last set" & VbCrLf & _
  "and today is " & int(now - dtmValue) & " days"
  intTimeInterval = int(now - dtmValue)

  Set objDomainNT = GetObject("WinNT://domain")
  intMaxPwdAge = objDomainNT.Get("MaxPasswordAge")
  If intMaxPwdAge < 0 Then
    WScript.Echo "The Maximum Password Age is set to 0 in the " & _
      "domain. Therefore, the password does not expire."
  Else
    intMaxPwdAge = (intMaxPwdAge/SEC_IN_DAY)
    Wscript.echo "The maximum password age is " & intMaxPwdAge & " days"
    If intTimeInterval >= intMaxPwdAge Then
      Wscript.echo "The password has expired."
    Else
      Wscript.echo "The password will expire on " & _
      DateValue(dtmValue + intMaxPwdAge) & " (" & _
      int((dtmValue + intMaxPwdAge) - now) & " days from today" & ")."
    End If
  End If
End If

On Fri, Jun 12, 2009 at 1:24 AM, Jody & Jennifer McCluggage <
j2mccluggage at adelphia.net> wrote:

 You should be able to get at this using ADSI (Active Directory Services
Interfaces).  You can probably script this with PowerShell using either ADSI
or the free Quest Active Directory snap-in.  I think something roughly like
this may get at it:



[adsi]?WinNT://ComputerName?.psbase.children | where
{$_.pbase.schemaclassname ?eq ?user?}  | foreach {

            $_.name ; $_.AccountExpirationDate.value  }



This should return the password expiration date for all user objects (this
is just a rough guess and has not been tested to see if it works).  I will
play with this a bit when I am back in the office.



Jody


 ------------------------------

*From:* pauldotcom-bounces at mail.pauldotcom.com [mailto:
pauldotcom-bounces at mail.pauldotcom.com] *On Behalf Of *Brian Gray
*Sent:* Thursday, June 11, 2009 4:39 PM
*To:* PaulDotCom Security Weekly Mailing List
*Subject:* Re: [Pauldotcom] WMIC help



I realize it's not wmic but wouldn't it be just as simple to use something
like



net user username /dom | find "Password expires"

Maybe you need wmic for a specific reason I don't know... I believe as long
as you are logging in as a user within that domain it should pull the
information without issue. I can think of a dozen other ways depending on
what the end result you are looking for is.



On Thu, Jun 11, 2009 at 12:46 PM, Raffi Jamgotchian <
raffi at flossyourmind.com> wrote:

i've used VBscript to do it. If you're interested, Ill dig it out. it
was run against the domain controller if I remember correctly.


On Jun 11, 2009, at 12:42 PM, Michael Douglas wrote:

Bah.  This doesn't work... you have to enter the actual user's
password.

Sorry for the bum advice!
- Mick



On Wed, Jun 10, 2009 at 8:55 PM, Michael
Douglas<mick at pauldotcom.com> wrote:
If you're an admin, you should be able to force the wmic check to
happen in the scope of another user.

wmic /user:"domain\user" netlogin get passwordexpires
(note you'll likely need to keep the quotes in the line above. wmic
is
very picky about global flag values.)

I believe this will work... But I'm not VPNed into my lab at work
right now to test and see.  Please let us know if this works as you
wanted it to.

My answers might be wrong, but they're FAST!   ;-)
- Mick

On Wed, Jun 10, 2009 at 4:29 PM, Kennith Asher<herrasher at gmail.com>
wrote:
Hey all you WMIC gurus out there.  I'm trying to find a
straightforward
means of identifying when a domain user's password will expire.
Is there a
modifier or switch I can set to bring back password expiry for
another
domain user?

I know I can use:

Wmic netlogin get passwordexpires

to find when my password expires, can this be done for another
domain user?
Assume I have admin privileges.

Oh, and just so that we're clear here, this is for the domain we
use at
work, I am doing this on behalf of a user I support.

Thanks,

Ken

_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com


_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com




--
-Brian W. Gray

No virus found in this incoming message.
Checked by AVG - www.avg.com
Version: 8.5.364 / Virus Database: 270.12.64/2170 - Release Date: 06/11/09
17:59:00

_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090612/f2ef28fa/attachment.htm 


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault