Here’s how you can find out when your domain password will expire.
net user %USERNAME% /domain
It figures this out for the current logon domain (so it doesn’t work cross-domain) but it is a great help, especially when filtering out just the password information:
net user %USERNAME% /domain | findstr "Password"
This can be done in a more complex way with dsquery or adinfo that are tools to query
Getting dsquery from Micrsoft
When not running on a domain controller you need to install them locally. I mentioned “Windows Server Resource Kit tools” in batch files: getting information from your Windows AD but that was when working at a client that back then was still in the XP / Windows Server 2003 R2 era.
For more modern Windows versions, you get it here (and each takes at least 20 minutes to install even on fast hardware with SSD storage):
- Windows 7: [WayBack] Download Remote Server Administration Tools for Windows 7 with Service Pack 1 (SP1) from Official Microsoft Download Center
- Windows 8: [WayBack] Download Remote Server Administration Tools for Windows 8 from Official Microsoft Download Center
- Windows 10: [WayBack] Download Remote Server Administration Tools for Windows 10 from Official Microsoft Download Center
(sort of thanks to [WayBack] Where can I get dsquery and other tools useful for debugging Active Directory issues? – Stack Overflow as [WayBack] Eelco managed to have the blog entry he referenced vanish from the internet).
Getting adinfo from Joeware
Joeware has some interesting 3rd party active directory tools many of which started out earlier than dsquery [WayBack] Free Tools:
- [WayBack] AdFind Command line Active Directory query tool. Mixture of ldapsearch, search.vbs, ldp, dsquery, and dsget tools with a ton of other cool features thrown in for good measure.
- [WayBack] AdMod Command line Active Directory modification tool. This is the natural extension to AdFind. I was primarily prompted by dsmod,dsmove,dsrm.exe not being what I wanted them to be when I wanted them to be.
- [WayBack] AdQueueLoop Command line tool to watch Active Directory Replication Queue.
- [WayBack] ATSN Command line Active Directory query tool. Converts IP addresses to subnet/site info. You can specify which DC you want to do the resolution of IP addresses to subnet/site names.
- [WayBack] ExchMbx Command line tool for doing various Exchange tasks such as mail enabling/disabling users, contacts, groups. Mailbox enabling/disabling users. Moving mailboxes.
- [WayBack] FindExpAcc Command line Active Directory query tool to find expired accounts. This will find accounts that are expired or accounts with expired passwords.
- [Wayback] GCChk The is a quick and dirty command line tool to locate active directory consistency issues. It will pick up missing GUIDs, objects in the GCs that may be lingering.
- [WayBack] MachinePwd Command line tool to change machine account passwords on the local machine to reset secure channels when broken.
- [WayBack] MemberOf Command line Active Directory query tool to determine what groups a user is in. As of V02.02.00 it will also check the membership of computers and groups as well.
- [WayBack] OldCmp Command line Active Directory query tool. Primarily used to find and cleanup old computer accounts that haven’t been used. Can also be used to clean up user accounts when the proper filter is specified.
- [WayBack] PSOMgr Command line tool to manage Fine Grain Password Policy Password Settings Objects in Longhorn Server and Domain Password Policy for any version Active Directory Domain.
- [WayBack] SecData Command line Active Directory query tool to pull some of the important security attributes for user and computer objects and output in CSV format. I have seen a large number of scripts taking advantage of this tool
- [WayBack] Unlock Command line Active Directory unlock tool. Will show you currently locked accounts and unlock accounts. One simple command to unlock all locked accounts in a domain.
- [WayBack] UserName Command line tool to output current user’s DN as well as other userid formats.
–jeroen