Re: PwdLastSet
- From: "Paul Bergson" <pbergson@xxxxxxxxxx>
- Date: Sun, 5 Mar 2006 18:45:58 -0600
Wow... I'm impressed, nice details!!!
--
Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA
http://www.pbbergs.com/
This posting is provided "AS IS" with no warranties, and confers no rights.
"Joe Richards [MVP]" <humorexpress@xxxxxxxxxxx> wrote in message
news:%23FsV1zJQGHA.5560@xxxxxxxxxxxxxxxxxxxxxxx
AD Password expiration is handled in a very simple way and done when a
user attempts to log on (or their account is otherwise trying to auth).
The current time/date is collected and converted to int8 format (64 bit
FILETIME).
The expiration policy value is collected from the domain NC Head object,
it is the attribute called maxPwdAge. It is also an int8 value, negative
value actually. This is the delta to "add" to the current time/date value.
So if the value is say negative 10 days in 100 nanosecond units or
"clicks" I sometimes call them and your current date/time is March 12th
2PM, then you will get a result of March 2 2PM.
Now the user's pwdLastSet value is pulled and if the value is less than
the adjusted value above, the account is expired.
So for real life example:
My test domain has maxPwdAge value of
maxPwdAge: -78624000000000
Say the current local time is 03/05/002006-16:23:10, which is
127860673900457020.
I now "add" the delta of the maxpwdage above.
127860673900457020 + (-78624000000000)
which gives a value of 127782049900457020.
Now I simply compare pwdLastSet against that value and anything less than
it is expired (unless they are marked to not expire of course). That
specific value is
F:\DEV\cpp\FileTimeToString>filetimetostring 127782049900457020
FileTimeToString V01.01.00cpp Joe Richards (joe@xxxxxxxxxxx) August 2004
In: 127782049900457020
Uli: 127782049900457020
FILE-TIME=127782049900457020
STRING-TIME=12/04/002005-16:23:10
So I grab a user I know is expired on my test domain and dump the
pwdLastSet and msds-user-account-control-computed which gives
F:\DEV\cpp\FileTimeToString>adfind -b
CN=acltestuser,CN=Users,DC=joe,DC=com -s base pwdlastset
msds-user-account-control-computed
AdFind V01.31.00cpp Joe Richards (joe@xxxxxxxxxxx) February 2006
Using server: 2k3dc02.joe.com:389
Directory: Windows Server 2003
dn:CN=acltestuser,CN=Users,DC=joe,DC=com
pwdLastSet: 127475098620324652
msDS-User-Account-Control-Computed: 8388608
1 Objects returned
the value 127475098620324652 is less than 127782049900457020 so the
account is expired, if I decode the values from above you can clearly see
it as well
F:\DEV\cpp\FileTimeToString>adfind -b
CN=acltestuser,CN=Users,DC=joe,DC=com -s base pwdlastset
msds-user-account-control-computed -tdc -samdc
AdFind V01.31.00cpp Joe Richards (joe@xxxxxxxxxxx) February 2006
Using server: 2k3dc02.joe.com:389
Directory: Windows Server 2003
dn:CN=acltestuser,CN=Users,DC=joe,DC=com
pwdLastSet: 12/14/2004-09:57:42 Eastern Standard Time
msDS-User-Account-Control-Computed: 8388608 [EXPIRED(8388608)]
1 Objects returned
Lockout timing is handled in exactly the same way.
joe
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
Paul Bergson wrote:
I didn't know that. I thought that a forced expiration was required.
.
- Follow-Ups:
- Re: PwdLastSet
- From: Joe Richards [MVP]
- Re: PwdLastSet
- References:
- Re: PwdLastSet
- From: Joe Richards [MVP]
- Re: PwdLastSet
- From: Paul Bergson
- Re: PwdLastSet
- From: Joe Richards [MVP]
- Re: PwdLastSet
- From: Paul Bergson
- Re: PwdLastSet
- From: Joe Richards [MVP]
- Re: PwdLastSet
- Prev by Date: Re: Changing to 2003 DC
- Next by Date: Re: group permissions
- Previous by thread: Re: PwdLastSet
- Next by thread: Re: PwdLastSet
- Index(es):
Relevant Pages
|
