Re: PwdLastSet
- From: "Joe Richards [MVP]" <humorexpress@xxxxxxxxxxx>
- Date: Sun, 05 Mar 2006 16:36:56 -0500
AD Password expiration is handled in a very simple way and done when a user attempts to log on (or their account is otherwise trying to auth).
The current time/date is collected and converted to int8 format (64 bit FILETIME).
The expiration policy value is collected from the domain NC Head object, it is the attribute called maxPwdAge. It is also an int8 value, negative value actually. This is the delta to "add" to the current time/date value. So if the value is say negative 10 days in 100 nanosecond units or "clicks" I sometimes call them and your current date/time is March 12th 2PM, then you will get a result of March 2 2PM.
Now the user's pwdLastSet value is pulled and if the value is less than the adjusted value above, the account is expired.
So for real life example:
My test domain has maxPwdAge value of
>maxPwdAge: -78624000000000
Say the current local time is 03/05/002006-16:23:10, which is 127860673900457020.
I now "add" the delta of the maxpwdage above.
127860673900457020 + (-78624000000000)
which gives a value of 127782049900457020.
Now I simply compare pwdLastSet against that value and anything less than it is expired (unless they are marked to not expire of course). That specific value is
F:\DEV\cpp\FileTimeToString>filetimetostring 127782049900457020
FileTimeToString V01.01.00cpp Joe Richards (joe@xxxxxxxxxxx) August 2004
In: 127782049900457020
Uli: 127782049900457020
FILE-TIME=127782049900457020
STRING-TIME=12/04/002005-16:23:10
So I grab a user I know is expired on my test domain and dump the pwdLastSet and msds-user-account-control-computed which gives
F:\DEV\cpp\FileTimeToString>adfind -b CN=acltestuser,CN=Users,DC=joe,DC=com -s base pwdlastset msds-user-account-control-computed
AdFind V01.31.00cpp Joe Richards (joe@xxxxxxxxxxx) February 2006
Using server: 2k3dc02.joe.com:389
Directory: Windows Server 2003
dn:CN=acltestuser,CN=Users,DC=joe,DC=com
>pwdLastSet: 127475098620324652
>msDS-User-Account-Control-Computed: 8388608
1 Objects returned
the value 127475098620324652 is less than 127782049900457020 so the account is expired, if I decode the values from above you can clearly see it as well
F:\DEV\cpp\FileTimeToString>adfind -b CN=acltestuser,CN=Users,DC=joe,DC=com -s base pwdlastset msds-user-account-control-computed -tdc -samdc
AdFind V01.31.00cpp Joe Richards (joe@xxxxxxxxxxx) February 2006
Using server: 2k3dc02.joe.com:389
Directory: Windows Server 2003
dn:CN=acltestuser,CN=Users,DC=joe,DC=com
>pwdLastSet: 12/14/2004-09:57:42 Eastern Standard Time
>msDS-User-Account-Control-Computed: 8388608 [EXPIRED(8388608)]
1 Objects returned
Lockout timing is handled in exactly the same way.
joe
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
Paul Bergson wrote:
I didn't know that. I thought that a forced expiration was required..
- Follow-Ups:
- Re: PwdLastSet
- From: Paul Bergson
- Re: PwdLastSet
- References:
- Re: PwdLastSet
- From: Joe Richards [MVP]
- Re: PwdLastSet
- From: Paul Bergson
- Re: PwdLastSet
- From: Joe Richards [MVP]
- Re: PwdLastSet
- From: Paul Bergson
- Re: PwdLastSet
- Prev by Date: Re: Local Machine vs. Domain Group Policy
- Next by Date: Re: Changing to 2003 DC
- Previous by thread: Re: PwdLastSet
- Next by thread: Re: PwdLastSet
- Index(es):
Relevant Pages
|
