Re: AD and Expired Password Checking and how to test?

From: ohaya <ohaya@xxxxxxx>
Date: Thu, 31 Aug 2006 19:03:33 -0400

ohaya wrote:

Hi,

I have a sample VBScript program to check if a user's password has expired linked here:

http://www.rlmueller.net/User%20Password%20Info.htm

The program uses the value of the pwdLastSet attribute of the user and the maxPwdAge attribute of the domain. I have more info on handling Integer8 values like pwdLastSet and maxPwdAge linked here:

http://www.rlmueller.net/Integer8Attributes.htm

Richard,

I guess the thing that is really giving me a hard time is getting my code to detect that a password has expired when Windows thinks that it has expired.

I'll try to explain:

- I reset the password for a user, and the password expires on 10/13/06 @ ~03:55, according to various VBscripts that I tried (one said 10/11/06).

- I change the system date to 10/10/06, and try a bind, which fails. My program says that the password has not yet expired.

I guess that I've been assuming that bind failure is because Windows/AD thinks that the password has expired, but maybe there might be another reason why the binds would fail as I get "nearer" to the password expiration? FYI, when I ran an ldifde with a simple bind, the error I was getting was "INVALID CREDENTIALS".

I'm doing the bind using LDAP (i.e., using LDAP JDK). Is it possible that AD expires passwords for LDAP binds EARLIER than it expires something like an SSPI or Windows bind?

Jim

Hi,

I need to clarify what I said above: Actually, I am getting the "invalid credentials" prior to the password expirate date/time, even if I do an SSPI bind. Is there any way to find out why this might be happening?

Thanks,
Jim
.

Follow-Ups:
- Re: AD and Expired Password Checking and how to test?
  - From: Joe Richards [MVP]

References:
- Re: AD and Expired Password Checking and how to test?
  - From: ohaya

Prev by Date: Re: Servers not appearing in AD
Next by Date: Re: Active Directory - security boundaries
Previous by thread: Re: AD and Expired Password Checking and how to test?
Next by thread: Re: AD and Expired Password Checking and how to test?
Index(es):
- Date
- Thread

Relevant Pages

Re: AD and Expired Password Checking and how to test?
... Doh, sorry my bad, I should have checked, pwdlastset isn't in the GC in the default schema and I assumed it was because my test forest had that changed. ... Joe Richards Microsoft MVP Windows Server Directory Services ... So then, now I'm still puzzled why, when I set the system clock to 10/11/06, I get "Invalid credential" when I try to do a bind, using either a simple bind or SSPI bind. ... Is it possible that AD expires passwords for LDAP binds EARLIER than it expires something like an SSPI or Windows bind? ...
(microsoft.public.windows.server.active_directory)
Re: AD and Expired Password Checking and how to test?
... that's approximately 14 days after the pwdLastSet. ... So then, now I'm still puzzled why, when I set the system clock to 10/11/06, I get "Invalid credential" when I try to do a bind, using either a simple bind or SSPI bind. ... But then again, I've tested after setting the system time to 10/10/06, and got the Invalid Credentials then too. ... Is it possible that AD expires passwords for LDAP binds EARLIER than it expires something like an SSPI or Windows bind? ...
(microsoft.public.windows.server.active_directory)
Re: ADAM Password Expiration
... If you were using straight LDAP, then you'd be unable to bind after the pwd ... > expires. ... When I have used an account that I want to read data as part of ...
(microsoft.public.windows.server.active_directory)
Re: AD and Expired Password Checking and how to test?
... Like Joe said, the exact ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... I reset the password for a user, and the password expires on ... I change the system date to 10/10/06, and try a bind, which fails. ...
(microsoft.public.windows.server.active_directory)
Re: AD and Expired Password Checking and how to test?
... AdFind isn't a script and deals with the 64 bit numbers natively and uses the Microsoft internal conversion routines so it will give you the exact time in the pwdLastSet. ... Actually, no, I'm not positive about the "real" expiration date/time. ... I guess that I've been assuming that bind failure is because Windows/AD thinks that the password has expired, but maybe there might be another reason why the binds would fail as I get "nearer" to the password expiration? ... Is it possible that AD expires passwords for LDAP binds EARLIER than it expires something like an SSPI or Windows bind? ...
(microsoft.public.windows.server.active_directory)