I have scripted UnUsedNewUsers.bat to report all user accounts that have the user must change password at next logon flag set, and have been created for at least N days.


UnUsedNewUsers.bat uses DatePorM.bat, and iDateYMD.bat, which must be located in your PATH.

REG.EXE, built into Windows XP and Windows Server 2003, or REG.EXE from the Windows 2000 Support Tools on the CD-ROM, must be available in your PATH.

UnUsedNewUsers.bat uses DSQuery.exe.

See How can I filter an Active Directory query using a bitwise flag and How can I filter an Active Directory query by testing an attribute to be NOT EQUAL.

See How can I decode the userAccountControl attribute?

The syntax for using UnUsedNewUsers.bat is:

UnUsedNewUsers days

Where days is the required age of an unused user account, before it is reported.

UnUsedNewUsers.bat contains:

@echo off
if \{%1\}==\{\} @echo Syntax: UnUsedNewUsers days&goto :EOF
if %1 NEQ +%1 @echo Syntax: UnUsedNewUsers days&goto :EOF
set blank=                           #
set /a days=10000%1%%10000
<font size="1">:: Retrieve user accounts that do not have 'password never expires' and have 'user must change password at next logon' set.
set qry=dsquery * domainroot -filter "(&(objectCategory=Person)(objectClass=User)(logonCount=0)(pwdLastSet=0)(!userAccountControl:1.2.840.113556.1.4.804:=65536))" -attr sAMAccountName whenCreated -limit 0</font>
call DatePorM -%days% since
call iDateYMD %since% YYYY MM DD
set old=%YYYY%%MM%%DD%
for /f "Skip=1 Tokens=1,2" %%u in ('%qry%') do (
 call :chkcrt %%u %%v
goto :EOF
call iDateYMD %2 YYYY MM DD
set crt=%YYYY%%MM%%DD%
if "%crt%" LEQ "%old%" @echo %1 %crt%