Are you positive on the date/time the account is supposed to be
expiring. VBSCRIPT has issues dealing with 64 bit values and most of the
scripts I have seen are *close* for the time but never actually correct.
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
The program uses the value of the pwdLastSet attribute of the user
and the maxPwdAge attribute of the domain. I have more info on
handling Integer8 values like pwdLastSet and maxPwdAge linked here:
I guess the thing that is really giving me a hard time is getting my
code to detect that a password has expired when Windows thinks that it
has expired.
I'll try to explain:
- I reset the password for a user, and the password expires on
10/13/06 @ ~03:55, according to various VBscripts that I tried (one
said 10/11/06).
- I change the system date to 10/10/06, and try a bind, which fails.
My program says that the password has not yet expired.
I guess that I've been assuming that bind failure is because
Windows/AD thinks that the password has expired, but maybe there might
be another reason why the binds would fail as I get "nearer" to the
password expiration? FYI, when I ran an ldifde with a simple bind,
the error I was getting was "INVALID CREDENTIALS".
I'm doing the bind using LDAP (i.e., using LDAP JDK). Is it possible
that AD expires passwords for LDAP binds EARLIER than it expires
something like an SSPI or Windows bind?
Jim
Hi,
I need to clarify what I said above: Actually, I am getting the
"invalid credentials" prior to the password expirate date/time, even if
I do an SSPI bind. Is there any way to find out why this might be
happening?
Re: AD and Expired Password Checking and how to test? ... Doh, sorry my bad, I should have checked, pwdlastset isn't in the GC in the default schema and I assumed it was because my test forest had that changed. ...Joe Richards Microsoft MVP Windows Server Directory Services... So then, now I'm still puzzled why, when I set the system clock to 10/11/06, I get "Invalid credential" when I try to do a bind, using either a simple bind or SSPI bind. ... Is it possible that AD expires passwords for LDAP binds EARLIER than it expires something like an SSPI or Windows bind? ... (microsoft.public.windows.server.active_directory)
Re: AD and Expired Password Checking and how to test? ... Like Joe said, the exact ... Co-author of "The .NET Developer's Guide to Directory Services Programming"... I reset the password for a user, and the password expires on ... I change the system date to 10/10/06, and try a bind, which fails. ... (microsoft.public.windows.server.active_directory)
Re: AD and Expired Password Checking and how to test? ... AdFind isn't a script and deals with the 64 bit numbers natively and uses the Microsoft internal conversion routines so it will give you the exact time in the pwdLastSet. ... Actually, no, I'm not positive about the "real" expiration date/time.... I guess that I've been assuming that bind failure is because Windows/AD thinks that the password has expired, but maybe there might be another reason why the binds would fail as I get "nearer" to the password expiration? ... Is it possible that AD expires passwords for LDAP binds EARLIER than it expires something like an SSPI or Windows bind? ... (microsoft.public.windows.server.active_directory)
Re: AD and Expired Password Checking and how to test? ...Account disabled...Joe Richards Microsoft MVP Windows Server Directory Services... I happened to have another user in AD that I had last done a password reset on 8/14/06, and I found that I could still bind today, so I was puzzled about why one user's password would expire after ~14 days, whereas the other didn't. ... I checked in ADUC, and I found that the one user that was able to bind had "Account Expires" of "never", whereas the one where I was getting ... (microsoft.public.windows.server.active_directory)
Re: AD and Expired Password Checking and how to test? ... I happened to have another user in AD that I had last done a password reset on 8/14/06, and I found that I could still bind today, so I was puzzled about why one user's password would expire after ~14 days, whereas the other didn't. ... I checked in ADUC, and I found that the one user that was able to bind had "Account Expires" of "never", whereas the one where I was getting ... Directory: Windows 2000 ... Add the number of days for your expiration policy onto it and that is your exact expiration time. ... (microsoft.public.windows.server.active_directory)
