I have searched all over for 2 days with no luck, so hoping someone here might be able to help with this.I have a Windows 2003 network. All user accounts have to have an account expiration date that is tied to an online security training course they must complete, and this annually recurring.What I would like to do is use the LDAP query feature to generate a list of not only users who have account expiration dates assigned, but also shows the date their account expires.I have a simple query that can produce a list of accounts that are expired or will expire within X number of days, but when exported as a text file, it only shows the user's account and the type of account. For example:(&(objectCategory=person)(objectClass=user)(accountExpires<=129102336000000000))Does anyone know the syntax for a query that would also show the actual date of account expiration alongside the user's account name? This would be for all users within a given OU.Many thanks in advance if you have knowledge of this great mystery.

I have a VBScript program you can use for this linked here:http://www.rlmueller.net/GenericADO.htmThe program will first prompt for the "base" of the search. Enter the Distinguished Name (DN) of the OU. Next the program prompts for the LDAP syntax filter. For all users the filter would be:(&(objectCategory=person)(objectClass=user))Finally, the program prompts for a comma delimited list of attributes. The Distinguished Name (DN) attribute is always included so you don't need to list that. You can use:sAMAccountName,accountExpiresThe program will output distinguishedName, sAMAccountName (pre-Windows 2000 logon name), and accountExpires for all users in the base OU. For Integer8 values like accountExpires, the program outputs the actual 64-bit value, and also the corresponding date and time in the local time zone.If you want to restrict the output to users in the OU with an expiration date, the filter would be:(&(objectCategory=person)(objectClass=user)(!accountExpires=0)(!accountExpires=9223372036854775807))The "Not" operator is "!". An account that does not expire can have accountExpire 0, or also 2^63-1 (the huge number above). If you want to restrict the output to users in the OU that expire within a specified number of days, you will need to use a filter similar to the one you suggested. I use the program linked below to convert any date and time in the local time zone into the corresponding Integer8 value to use in the filter:http://www.rlmueller.net/Programs/DateToInteger8.txtIf you want to code your own program to retrieve accountExpires, you can use the function linked below to convert the Integer8 value retrieved into a date and time in the local time zone. This function outputs 1/1/1601 if the account never expires, because that is the "zero" date for Integer8 attributes.http://www.rlmueller.net/Programs/Integer8Date.txtI hope this helps.Richard MuellerMVP ADSI

Richard,This looks like a tremendously useful tool. I'm wondering if you can help me with an error I'm getting. The process I'm using is:The program is stored on the AD server in C:\ADO_Querys\accountexpiration.vbsIn CMD, cd to the containing folder and execute scriptAt Base of Search, leave blank for default entire domainAt LDAP syntax filter, enter (&(objectCategory=person)(objectClass=user))At List of Attributes, enter sAMAccountName,accountExpiresGeneration of output text file is working but before the query executes, the following error occurs:Line: 103Char: 1Error: Variable is undefined 'blnACS'Code: 800A01F4I'm sure this is probably something amazingly simple but my lack of expertise is showing. Any advice you have would be great and your help is tremendously appreciated.Regards,Lane

No, it's my mistake. I modified the program Jan. 28 to accept a command line parameter if the user wishes to create a comma delimited file (instead of the default table format). I introduced a bug. The error message indicates that the variable blnACS is not declared in a Dim statement. That's because I misspelled it. It should be blnCSV. I made the mistake in a few places. Download the corrected version I just published on my web site.Richard MuellerMVP ADSI

Richard,Thanks! That worked perfectly. This is an incredibly handy tool for being able to generate this type of info. I really appreciate your efforts and your help here. Many, many thanks once again.Regards,Lane