Can User Account Password be set to expire on a date?

Can User Account Password be set to expire on a date?

Post by Richard Muelle » Wed, 09 Oct 2002 02:28:32




>Is it possible to set a Win2k AD user account password to
>expire on a specific date?
>.

Hi,

In principle I think it could be done, but it would be a
challenge.

The domain has one Maximum Password Age policy that
applies to all users (except those whose password does not
expire, or those that cannot change their password). Each
user object has a PwdLastSet attribute, representing the
date and time the password was last set. In principle,
PwdLastSet + MaxPwdAge equals the date the password
expires.

Challenge 1 is that PwdLastSet is not a replicated
attribute, so you have to query every domain controller in
the domain for the max value. Challenge 2 is that while
MaxPwdAge is in days, PwdLastSet is Integer8 (64-bit). I
think VB (or C) would be required to set a value.

If the expiration date you desire is sooner than the
current expiration date for the user, you only have to set
a value for PwdLastSet on one domain controller. The value
would be DesiredExpirationDate - MaxPwdAge. It appears
that Domain Administrators can set the value, but I have
not found VBScript code that can set Integer8 values.

Richard

 
 
 

Can User Account Password be set to expire on a date?

Post by Joe Richards [MVP » Wed, 09 Oct 2002 05:43:06


Nope, but you can set account expiration for a specific date.

--
Joe Richards
www.joeware.net
---


Quote:> Is it possible to set a Win2k AD user account password to
> expire on a specific date?


 
 
 

Can User Account Password be set to expire on a date?

Post by Richard Muelle » Thu, 10 Oct 2002 01:45:10


After further study, I've decided this cannot be done.

I tried to take advantage of the fact that the Account
Expires attribute (a 64-bit Integer8) can be read as an
Integer8 object, and also as a date. It can also be
assigned a date. If oUser is the user object, using the
LDAP provider:

Set oDate = oUser.AccountExpires

creates the oDate object, with HighPart and LowPart
methods that return the 64-bit value as two 32-bit numbers.

However, the account expiration date can be set to a
normal date value with the AccountExpirationDate method:

oUser.AccountExpirationDate = #10/01/2002#

This give me a way to convert a normal date to an Integer8
object. The problem is that I cannot assign this object to
another attribute, like PwdLastSet. I get a constraint
violation. I tried:

oUser.PwdLastSet = oDate
and
Set oUser.PwdLastSet = oDate
and
oUser.Put "PwdLastSet", oDate

So, the oUser.AccountExpires attribute (and the
oUser.PwdLastSet attribute) are probably methods that
convert the Integer8 value to a object.

Bottom line, I cannot assign any Integer8 attributes to
any values, other than 0 and -1, in VBScript. This
includes the LDAP attributes AccountExpires, PwdLastSet,
LastLogon, LastLogoff, LockoutTime, and BadPasswordTime.

Richard

>-----Original Message-----

>>Is it possible to set a Win2k AD user account password
to
>>expire on a specific date?
>>.

>Hi,

>In principle I think it could be done, but it would be a
>challenge.

>The domain has one Maximum Password Age policy that
>applies to all users (except those whose password does
not
>expire, or those that cannot change their password). Each
>user object has a PwdLastSet attribute, representing the
>date and time the password was last set. In principle,
>PwdLastSet + MaxPwdAge equals the date the password
>expires.

>Challenge 1 is that PwdLastSet is not a replicated
>attribute, so you have to query every domain controller
in
>the domain for the max value. Challenge 2 is that while
>MaxPwdAge is in days, PwdLastSet is Integer8 (64-bit). I
>think VB (or C) would be required to set a value.

>If the expiration date you desire is sooner than the
>current expiration date for the user, you only have to
set
>a value for PwdLastSet on one domain controller. The
value
>would be DesiredExpirationDate - MaxPwdAge. It appears
>that Domain Administrators can set the value, but I have
>not found VBScript code that can set Integer8 values.

>Richard
>.

 
 
 

Can User Account Password be set to expire on a date?

Post by Joe Richards [MVP » Thu, 10 Oct 2002 08:33:12


Yep, actually you can't assign any value other than 0 or -1 in any language.
Only the OS itself can change it to some other value.

--
Joe Richards
www.joeware.net
---


> After further study, I've decided this cannot be done.

> I tried to take advantage of the fact that the Account
> Expires attribute (a 64-bit Integer8) can be read as an
> Integer8 object, and also as a date. It can also be
> assigned a date. If oUser is the user object, using the
> LDAP provider:

> Set oDate = oUser.AccountExpires

> creates the oDate object, with HighPart and LowPart
> methods that return the 64-bit value as two 32-bit numbers.

> However, the account expiration date can be set to a
> normal date value with the AccountExpirationDate method:

> oUser.AccountExpirationDate = #10/01/2002#

> This give me a way to convert a normal date to an Integer8
> object. The problem is that I cannot assign this object to
> another attribute, like PwdLastSet. I get a constraint
> violation. I tried:

> oUser.PwdLastSet = oDate
> and
> Set oUser.PwdLastSet = oDate
> and
> oUser.Put "PwdLastSet", oDate

> So, the oUser.AccountExpires attribute (and the
> oUser.PwdLastSet attribute) are probably methods that
> convert the Integer8 value to a object.

> Bottom line, I cannot assign any Integer8 attributes to
> any values, other than 0 and -1, in VBScript. This
> includes the LDAP attributes AccountExpires, PwdLastSet,
> LastLogon, LastLogoff, LockoutTime, and BadPasswordTime.

> Richard
> >-----Original Message-----

> >>Is it possible to set a Win2k AD user account password
> to
> >>expire on a specific date?
> >>.

> >Hi,

> >In principle I think it could be done, but it would be a
> >challenge.

> >The domain has one Maximum Password Age policy that
> >applies to all users (except those whose password does
> not
> >expire, or those that cannot change their password). Each
> >user object has a PwdLastSet attribute, representing the
> >date and time the password was last set. In principle,
> >PwdLastSet + MaxPwdAge equals the date the password
> >expires.

> >Challenge 1 is that PwdLastSet is not a replicated
> >attribute, so you have to query every domain controller
> in
> >the domain for the max value. Challenge 2 is that while
> >MaxPwdAge is in days, PwdLastSet is Integer8 (64-bit). I
> >think VB (or C) would be required to set a value.

> >If the expiration date you desire is sooner than the
> >current expiration date for the user, you only have to
> set
> >a value for PwdLastSet on one domain controller. The
> value
> >would be DesiredExpirationDate - MaxPwdAge. It appears
> >that Domain Administrators can set the value, but I have
> >not found VBScript code that can set Integer8 values.

> >Richard
> >.

 
 
 

1. Cant SET 'user cant change password' AND 'password never expires'

I've sort of figured this problem out now, but something strange is
happening and i am interested to know why this certain peice of code doesnt
work.  The comments in the code explain.

set objUser = GetObject("WinNT://DOMAINNAME/" & sUserName & ",user")
nUserFlags = objUser.Get("UserFlags")
'########################
'###### this code doesnt work
' set user cant change password
'objUser.Put "UserFlags", nUserFlags OR &H00040
' set password never expires
'objUser.Put "UserFlags", nUserFlags OR &H10000
'objUser.SetInfo
'########################

'########################
'###### this code does work
' set user cant change password  and set password never expires
'objUser.Put "UserFlags", nUserFlags OR &H00040 OR &H10000
'objUser.SetInfo
'########################

I used the code here to help:
http://www.15seconds.com/issue/011127.htm
So it should be possible not to do all on one line.  btw there is a bug in
that code - he forgot to put in a .setinfo so looks like it was never
tested?  I have tried putting in XOR's like the author suggests (but doesnt
actually do!) and it makes no difference.

Thanks,

Paul

2. ? Erase CD-RW with DirectCD ?

3. Account Expire and Password does not expire

4. Paste Items in Place...

5. Set user object property password never expires using ASP

6. SBS....2 user version???

7. anyhow know how to set expiring date to the document posted.

8. LogonException when binding CrystalReportViewer

9. User account password set failure

10. How do I set the password on a newly created user account

11. set password to never expire

12. How to set 'Password Never Expires' attribute with ADSI?

13. How can I add a user account in notes by WSH,then the user account's password in notes same with NT domain user account's password?