Thanks to PCI requirements we recently formalized the the password aging policy in our Active Directory domain and unchecked the Password does not expire flag on all users accounts. I quickly found that I needed a way other than using Active Directory Users and Computers to check to see if a user’s password is expired as users ignored the message to change their password.
I also found it helpful to see when the password was last changed and how long until the password expired. It seems the “Your password will expire in X days…” message was causing the odd issue with Outlook Web Access and Entourage (Mac Exchange Client) and having the user change their password resolved the issues.
So instead of always turning to Active Directory Users and Computers, I turned to scripting. Turns out you need the full LDAP distinguished name of the user in order to query password information. Typing in the full DN is a chore, but a bit of searching turned up a method for finding the a DN using the logon name.
And thus a simple script was born.