Re: Help With Password Last Changed
- From: "Justin" <None@xxxxxxxx>
- Date: Tue, 29 Apr 2008 10:59:40 -0700
"Richard Mueller [MVP]" <rlmueller-nospam@xxxxxxxxxxxxxxxxxxxx> wrote in
message news:u6T$9UZqIHA.420@xxxxxxxxxxxxxxxxxxxxxxx
Justin wrote:
I recently implemented a password policy. Windows 2003. I first set the
password to expire in 1 day and everyone but my test user was set to
"PASSWORD NEVER EXPIRES". So naturally only my test user was affected and
I was prompted to change the password. I then left everything in place
and sure enough I was asked to change my password again after this last
weekend.
Ok, so my password policy is in place and works. I bumped up the policy
to have the passwords expire after 90 days. I picked a few users and
turned off "PASSWORD NEVER EXPIRES". I went to their machine and ran
gpupdate /force then verified they have the proper local policy (I did
the same on my DC). OK, all is well, I reboot and......nada.....I wasn't
asked to change the password. My googling brought me to:
dtmValue = objUserLDAP.PasswordLastChanged
Wscript.echo "The password was last changed on " & _
DateValue(dtmValue) & " at " & TimeValue(dtmValue) & VbCrLf & _
"The difference between when the password was last set" & VbCrLf & _
"and today is " & int(now - dtmValue) & " days"
intTimeInterval = int(now - dtmValue)
.....and so forth....
What I discovered is that ALL of my users have a last changed date of
"some random date" in April....what the heck?
Prior to today every single one of my users had BOTH "PASSWORD NEVER
EXPIRES" and "USER CAN NOT CHANGE PASSWORD" selected. So wouldn't that
be a impossibility? I certainly did not change their passwords or reset
them. All of my users are a at least a few years old and older with the
exception of two recent new hires which actually were created in April.
Upon questioning my users I discovered that they, in fact, have never
changed thier password nor were they ever prompted to.
So my question is, how is this possible? What would have caused this?
What could be resetting this field?
On a side note, something that bothers me, when I run the mentioned
script above for some of my users I get a OBJECT NOT FOUND error. When
in fact that user does exist as typed in the OU as typed.
Any help or any direction would be greatly appreciated!
My experience is that users that have never changed their password have a
Password Last Changed date that corresponds to the "zero" date, January 1,
1601. The PasswordLastChanged property method raises an error on this
value.
We need to see more of your program. I suspect you use "On Error Resume
Next", which masks this problem. Perhaps one user last changed their
password in April, all subsequent users raise an error, and the same date
is being reported.
I have a VBScript program that documents for all users in the domain when
they last changed their password. The date 1/1/1601 means never.
http://www.rlmueller.net/PwdLastChanged.htm
This program uses ADO to retrieve the pwdLastSet attribute for all users,
which is must faster than binding to each user object in order to invoke
the PasswordLastChanged property method (which raises the error anyway).
--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--
This is the script I was using. It's hardcoded per user, per OU, per
domain:
(http://www.activexperts.com/activmonitor/windowsmanagement/scripts/activedirectory/user/passwords/)
Const SEC_IN_DAY = 86400
Const ADS_UF_DONT_EXPIRE_PASSWD = &h10000
Set objUserLDAP = GetObject _
("LDAP://CN=myerken,OU=management,DC=fabrikam,DC=com";)
intCurrentValue = objUserLDAP.Get("userAccountControl")
If intCurrentValue and ADS_UF_DONT_EXPIRE_PASSWD Then
Wscript.Echo "The password does not expire."
Else
dtmValue = objUserLDAP.PasswordLastChanged
Wscript.Echo "The password was last changed on " & _
DateValue(dtmValue) & " at " & TimeValue(dtmValue) & VbCrLf & _
"The difference between when the password was last set" & _
"and today is " & int(now - dtmValue) & " days"
intTimeInterval = int(now - dtmValue)
Set objDomainNT = GetObject("WinNT://fabrikam")
intMaxPwdAge = objDomainNT.Get("MaxPasswordAge")
If intMaxPwdAge < 0 Then
WScript.Echo "The Maximum Password Age is set to 0 in the " & _
"domain. Therefore, the password does not expire."
Else
intMaxPwdAge = (intMaxPwdAge/SEC_IN_DAY)
Wscript.Echo "The maximum password age is " & intMaxPwdAge & " days"
If intTimeInterval >= intMaxPwdAge Then
Wscript.Echo "The password has expired."
Else
Wscript.Echo "The password will expire on " & _
DateValue(dtmValue + intMaxPwdAge) & " (" & _
int((dtmValue + intMaxPwdAge) - now) & " days from today"
& _
")."
End If
End If
End If
This script and your script give me completely different results? Your
results are what I would expect the accounts to look like. Also, your
script returns results for those users that the above script was giving me
an error with.
As of this morning those users that I turned off "password never expires"
where asked to change their password. Why it took some odd 24 hours for the
change to take place is beyond me. So with the above script giving me bogus
info and the change not taking place right away like it did with my test
user, there's the confusion.
I turned that option off for more users and had one of them reboot and they
where not asked to change their password. For some reason that setting is
taking a while to propagate through my system (only one DC, 78 users). I
suspect they will be asked to change their password by tomorrow.
Thanks for the help guys and thanks for the SCRIPT!
.
- References:
- Help With Password Last Changed
- From: Justin
- Re: Help With Password Last Changed
- From: Richard Mueller [MVP]
- Help With Password Last Changed
- Prev by Date: Re: remove no longer existing domain from the list of domains
- Next by Date: Re: Cross Forest Administration
- Previous by thread: Re: Help With Password Last Changed
- Next by thread: Delegation Inter Domains
- Index(es):
Relevant Pages
|
