Re: AD and Expired Password Checking and how to test?
- From: "Joe Richards [MVP]" <humorexpress@xxxxxxxxxxx>
- Date: Sat, 02 Sep 2006 15:11:34 -0400
Cool.
There are several things that can prevent an ID from authenticating with a valid password. The main "daily" things are
o Password expired
o Account locked
o Account disabled
o Account expiration
If you use my getuserinfo tool you can look at accounts quickly and it should tell you if any of those is the case. Note that that tool is designed to work for NT4 but still works for most of the stuff fine for AD, you just have to be careful about group memberships because it will show you the legacy NT4 view, not the view that allows for the same group type nesting, etc.
As for getting more info why creds are bad from LDAP, nothing available for that that I am aware of.
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
ohaya wrote:
Hi,.
** MYSTERY SOLVED!!! **
I happened to have another user in AD that I had last done a password reset on 8/14/06, and I found that I could still bind today (9/1/06), so I was puzzled about why one user's password would expire after ~14 days, whereas the other didn't.
I checked in ADUC, and I found that the one user that was able to bind had "Account Expires" of "never", whereas the one where I was getting the "Invalid Credentials" had it set to 9/14/06!!
So, it was the *ACCOUNT* expiring that was causing this, not the *PASSWORD* expiring :)!!
Jim
ohaya wrote:Hi,
FYI, I did more testing, to narrow down when the "Invalid Credentials" starts occurring, and it's somewhere between 9/14/06 @ 23:59 and 9/15/06 @ 00:01... By my calculation, that's approximately 14 days after the pwdLastSet.
Why is this?
Jim
ohaya wrote:Joe,
The command line you suggested didn't work:
C:\tempdir>adfind -sc u:test2 pwdlastset -tdcs
AdFind V01.31.00cpp Joe Richards (joe@xxxxxxxxxxx) March 2006
Using server: ctstepdown.whatever.com:3268
Directory: Windows 2000
dn:CN=test2,CN=Users,DC=whatever,DC=com
1 Objects returned
So I tried:
C:\tempdir>adfind -b "cn=users,dc=whatever,dc=com" -f "(cn=test2)" pwdLastSet -tdcs
AdFind V01.31.00cpp Joe Richards (joe@xxxxxxxxxxx) March 2006
Using server: ctstepdown.whatever.com:389
Directory: Windows 2000
dn:CN=test2,CN=Users,DC=whatever,DC=com
>pwdLastSet: 2006/08/31-05:08:20 Eastern Daylight Time
Here's what I got for 'maxpwdage':
C:\tempdir>adfind -b "dc=whatever,dc=com" -f "(maxpwdage=*)" maxpwdage
AdFind V01.31.00cpp Joe Richards (joe@xxxxxxxxxxx) March 2006
Using server: ctstepdown.whatever.com:389
Directory: Windows 2000
dn:DC=whatever,DC=com
>maxPwdAge: -37108517437440
dn:CN=Builtin,DC=whatever,DC=com
>maxPwdAge: -37108517437440
2 Objects returned
If I calculate correctly, the maxpwdage is 42 days, 22 hours, 47 minutes, and 32 seconds.
So, the expiration date/time should be 10/13/06 @ 03:55:52.
Is that right?
So then, now I'm still puzzled why, when I set the system clock to (for example) 10/11/06, I get "Invalid credential" when I try to do a bind, using either a simple bind or SSPI bind.
I have not gone back further yet, e.g., 10/9/06, 10/8/06, etc. to try to see when exactly that "Invalid credential" starts occurring, but what else, other than fat-fingering the password, could be causing the bind to fail "ahead of" the expiration date?
Thanks,
Jim
Joe Richards [MVP] wrote:Download my AdFind (http://www.joeware.net/win/free/tools/adfind.htm)
Then run the following command
adfind -sc u:username pwdlastset -tdcs
That will give you the exact time the password was set. Add the number of days for your expiration policy onto it and that is your exact expiration time. Note that it isn't just a day, it could be any time during the day.
AdFind isn't a script and deals with the 64 bit numbers natively and uses the Microsoft internal conversion routines so it will give you the exact time in the pwdLastSet (as well as any other int8 time attributes).
joe
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
ohaya wrote:Joe,
Actually, no, I'm not positive about the "real" expiration date/time. As I mentioned earlier, a number of VBs show 10/13/06, and at least one shows 10/11/06. But then again, I've tested after setting the system time to 10/10/06, and got the Invalid Credentials then too.
I guess that's really the point/question... how to find the "real" expiration date/time, since AD doesn't have it stored anywhere :(...
Jim
Joe Richards [MVP] wrote:Are you positive on the date/time the account is supposed to be expiring. VBSCRIPT has issues dealing with 64 bit values and most of the scripts I have seen are *close* for the time but never actually correct.
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
ohaya wrote:ohaya wrote:
Hi,
I have a sample VBScript program to check if a user's password has expired linked here:
http://www.rlmueller.net/User%20Password%20Info.htm
The program uses the value of the pwdLastSet attribute of the user and the maxPwdAge attribute of the domain. I have more info on handling Integer8 values like pwdLastSet and maxPwdAge linked here:
http://www.rlmueller.net/Integer8Attributes.htm
Richard,
I guess the thing that is really giving me a hard time is getting my code to detect that a password has expired when Windows thinks that it has expired.
I'll try to explain:
- I reset the password for a user, and the password expires on 10/13/06 @ ~03:55, according to various VBscripts that I tried (one said 10/11/06).
- I change the system date to 10/10/06, and try a bind, which fails. My program says that the password has not yet expired.
I guess that I've been assuming that bind failure is because Windows/AD thinks that the password has expired, but maybe there might be another reason why the binds would fail as I get "nearer" to the password expiration? FYI, when I ran an ldifde with a simple bind, the error I was getting was "INVALID CREDENTIALS".
I'm doing the bind using LDAP (i.e., using LDAP JDK). Is it possible that AD expires passwords for LDAP binds EARLIER than it expires something like an SSPI or Windows bind?
Jim
Hi,
I need to clarify what I said above: Actually, I am getting the "invalid credentials" prior to the password expirate date/time, even if I do an SSPI bind. Is there any way to find out why this might be happening?
Thanks,
Jim
- References:
- Re: AD and Expired Password Checking and how to test?
- From: ohaya
- Re: AD and Expired Password Checking and how to test?
- From: ohaya
- Re: AD and Expired Password Checking and how to test?
- From: Joe Richards [MVP]
- Re: AD and Expired Password Checking and how to test?
- From: ohaya
- Re: AD and Expired Password Checking and how to test?
- From: Joe Richards [MVP]
- Re: AD and Expired Password Checking and how to test?
- From: ohaya
- Re: AD and Expired Password Checking and how to test?
- From: ohaya
- Re: AD and Expired Password Checking and how to test?
- From: ohaya
- Re: AD and Expired Password Checking and how to test?
- Prev by Date: Re: AD and Expired Password Checking and how to test?
- Next by Date: Re: Forest and Exchange
- Previous by thread: Re: AD and Expired Password Checking and how to test?
- Next by thread: Re: AD and Expired Password Checking and how to test?
- Index(es):
Relevant Pages
|
