Re: ADAM Password Expiration

From: Dmitri Gavrilov [MSFT] (dmitrig_at_online.microsoft.com)
Date: 01/13/05 

Date: Thu, 13 Jan 2005 00:35:02 -0700

See my other post.
If you were using straight LDAP, then you'd be unable to bind after the pwd
has expired. But with ADSI, you are most likely seeing cached connections. 

-- 
Dmitri Gavrilov
SDE, Active Directory Core
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
"Lee Flight" <lef@le.ac.uk-nospam> wrote in message
news:#a0eNgP#EHA.2608@TK2MSFTNGP10.phx.gbl...
> Hi
> inline below...
>
> "Ed" <Ed@discussions.microsoft.com> wrote in message
> news:6288A1D4-4F82-480A-934E-0D65D7FF140C@microsoft.com...
> > Ok, I have a question about how Password Expiration works with ADAM
> > accounts. > If the account's password is expired, can it still be used
to
> > bind?
>
> From memory I think the answer is no the user cannot bind when the
password
> expires. As all an ADAM user does is an LDAP bind it would not make sense
> to do otherwise as there is no out of band method of offering the
> opportunity to
> reset. When I have used an account that I want to read data as part of
some
> service
> I have set a very complex password and then disabled expiry for that
> account.
>
> > If not,
> > what is the best practice for having the user change their password?
>
> I suspect that you need a tool to check for imminent password expiry and
> then notify the user that they need to change it through some
code/interface
> that you provide.
>
> > Should I have an ADSI-based page that somehow intercepts an error
message
> > returned by ADAM for the expired password, then redirects the user to a
> > change password page, and then bind via an Admin account?
>
> That would be great but I do not think you will be able to get the error
> message through the Microsoft LDAP provider that sits under ADSI.
>
> Lee Flight
>
>

Relevant Pages

  • Re: AD and Expired Password Checking and how to test?
    ... Account disabled ... Joe Richards Microsoft MVP Windows Server Directory Services ... I happened to have another user in AD that I had last done a password reset on 8/14/06, and I found that I could still bind today, so I was puzzled about why one user's password would expire after ~14 days, whereas the other didn't. ... I checked in ADUC, and I found that the one user that was able to bind had "Account Expires" of "never", whereas the one where I was getting ...
    (microsoft.public.windows.server.active_directory)
  • Re: ADAM Ldapsearch using Windows Domain Account
    ... You can't use an LDAP simple bind to bind to ADAM with a Windows account. ...
    (microsoft.public.windows.server.active_directory)
  • Re: ADAM Password Expiration
    ... I have a question about how Password Expiration works with ADAM ... expires. ... As all an ADAM user does is an LDAP bind it would not make sense ... When I have used an account that I want to read data as part of some ...
    (microsoft.public.windows.server.active_directory)
  • Re: Active Directory Trusts & LDAP Question
    ... If you can bind with this tool, then the problem is how Softterra's browser ... attempts LDAP binds. ... > The invalid password error is sometimes associated with encryption or> secure password issues. ... >> enumerate the LDAP accounts in domain A. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Active Directory Trusts & LDAP Question
    ... not the DN or the domain component of the bind request. ... >>>>am attempting to use a LDAP Browsing tool such as SoftTerra's LDAP ... >>>>bind to the LDAP server in Domain A using an account from Domain B? ...
    (microsoft.public.windows.server.active_directory)