Using Date-Related Attributes in Saved Queries

Executive Summary:

The Microsoft Management Console (MMC) Active Directory Users and Computers snap-in lets you create reusable Lightweight Directory Access Protocol (LDAP) queries to find Active Directory (AD) objects. You can use three date-related attributes—Account Expiration date, Password Last Set date, and Account Created date—within reusable LDAP queries to search AD for user and account information that is date-related, such as users with passwords that are expired or soon to expire, and accounts that were created before, between, and after specific dates.

Not too long ago, I wrote “Using Saved Queries for Active Directory Management” for Scripting Pro VIP (October, InstantDoc ID 97087). In that article, I covered installing saved queries, importing and exporting saved queries, and using bitwise operators within LDAP queries. I also provided a wide variety of LDAP queries that readers could use to produce some very useful results from within Active Directory (AD). Unfortunately, I couldn’t fit in how to use saved queries to query certain attributes that are date-related—attributes such as Account Expiration date (accountExpires), Password Last Set date (pwdLastSet), and Account Created date (whenCreated). By using these attributes within your LDAP queries, you can do things like search AD for users who haven’t changed their password in more than 90 days, passwords that will soon expire, users who have expired accounts, accounts that will expire soon, and accounts that were created before, after, or between specific dates. These types of queries can come in handy for security reports or when you need to perform proactive actions such as alerting remote users that they need to change their password. You might even want to produce lists of how many accounts were created in a certain month or between specific time periods to make management aware of your growing administration duties. You can also query computers on the whenCreated attribute to produce similar reports about how many computers are added to AD each month. Let’s delve further into how you can use the accountExpires, pwdLastSet, and whenCreated attributes in your saved queries. As we do so, I’ll show you how to work with two different date formats. . . .

This is certainly a good, by the book way to do it; Even though the base date (year 1601) is icrredibly silly.

Nice work.

arztje December 21, 2007 (Article Rating:

)

I agree, it is an unusual starting point.
So Microsoft, why 1601?

jturnervbs December 22, 2007 (Article Rating:

)

Believe it or not, there is a reason behind using the year of 1601--and it's not even a reason conjured up by Microsoft. We can blame the American National Standards Institute (ANSI) for this odd starting point. To find out why Microsoft uses the year 1601, see the note in the Scripting Guys article "Dandelions, VCR Clocks, and Last Logon Times: These are a Few of Our Least Favorite Things" at https://www.microsoft.com.nsatc.net/technet/scriptcenter/topics/win2003/lastlogon.mspx. The note appears toward the middle of the article.

KBemowski January 08, 2008 (Article Rating:

)

You must log on before posting a comment.

If you don't have a username & password, please register now.