RE: [ActiveDir] Updating pwdLastSet
IIRC, that is not a writeable attribute. We went through a similar exercise and found that we could not change that attribute. Diane -Original Message- From: Rex Wheeler [mailto:[EMAIL PROTECTED] Sent: Monday, June 16, 2003 10:05 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Updating pwdLastSet We are doing some integration work allowing other platforms (unix) to authenticate against Active Directory. We have succeeded in making this happen but are running into testing challenges. We would like to be able to write test scripts to verify that account and password expiration logic is working correctly. For example we want to test that if you have a policy that says you must change your password every 30 days and you last changed your password 25 days ago, you should get a warning message saying that you have 5 days to change your password. The problem is that we can't seem to update the pwdLastSet attribute. How can the value of this attribute be set? If it can not, does anyone have any ideas how to test such expiration logic without spending days of wall clock time? Thanks, Rex List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Updating pwdLastSet
It is indeed read-only in Windows 2000. You could always script changes in date and time. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rex Wheeler Sent: 16 June 2003 18:05 To: [EMAIL PROTECTED] We are doing some integration work allowing other platforms (unix) to authenticate against Active Directory. We have succeeded in making this happen but are running into testing challenges. We would like to be able to write test scripts to verify that account and password expiration logic is working correctly. For example we want to test that if you have a policy that says you must change your password every 30 days and you last changed your password 25 days ago, you should get a warning message saying that you have 5 days to change your password. The problem is that we can't seem to update the pwdLastSet attribute. How can the value of this attribute be set? If it can not, does anyone have any ideas how to test such expiration logic without spending days of wall clock time? Thanks, Rex List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Updating pwdLastSet
Thanks for the pointers. My problem is not determining who needs to change their password, rather it is setting up a test case where the user will warned that their password is about to expire. What I am testing is external authentication software that reads pwdLastSet and other attributes out of the directory and either logs the user into an external system; or prompts them to change their password if it is about to expire; or forces them to change their password if it has expired. Setting the pwdLastSet to 0 will allow me to test the expired case, but I need to set it to a value that will create a password is about to expire test case. Responses I have gotten other places seem to indicate that this read-only field. Your response indicates that it is read-only-mostly, with the exception of a few special values. Any idea what controls what these special values are? or is there away I can assume some specific (system) security context and be allowed to update this attribute? Rex -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Robbie Allen Sent: Monday, June 16, 2003 12:34 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Updating pwdLastSet Actually you can set the pwdLastSet attribute to 0 (to force a password change at next logon) or -1 to disable password change at next logon. You cannot set a password expiration date though. Attached is a Perl script that will find users who have not changed their password in x number of days. The script could be easily modified to look at the max password age for the domain and notify users that have a password that is going to expire in x number of days. Let me know if you have any questions. Robbie Allen http://www.rallenhome.com/ -Original Message- From: Adam Wood [mailto:[EMAIL PROTECTED] Sent: Monday, June 16, 2003 2:53 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Updating pwdLastSet It is indeed read-only in Windows 2000. You could always script changes in date and time. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rex Wheeler Sent: 16 June 2003 18:05 To: [EMAIL PROTECTED] We are doing some integration work allowing other platforms (unix) to authenticate against Active Directory. We have succeeded in making this happen but are running into testing challenges. We would like to be able to write test scripts to verify that account and password expiration logic is working correctly. For example we want to test that if you have a policy that says you must change your password every 30 days and you last changed your password 25 days ago, you should get a warning message saying that you have 5 days to change your password. The problem is that we can't seem to update the pwdLastSet attribute. How can the value of this attribute be set? If it can not, does anyone have any ideas how to test such expiration logic without spending days of wall clock time? Thanks, Rex List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Updating pwdLastSet
Thanks for the pointers. My problem is not determining who needs to change their password, rather it is setting up a test case where the user will warned that their password is about to expire. What I am testing is external authentication software that reads pwdLastSet and other attributes out of the directory and either logs the user into an external system; or prompts them to change their password if it is about to expire; or forces them to change their password if it has expired. How close to the actual expiration is about to expire for you? If your max password age is 180 days, for testing purposes you could make the about to expire timeframe in your authentication software something like 170 days before expiration. Then you would need to test with a user that set their password 10 or more days ago (you can obviously adjust these numbers accordingly). Robbie Allen http://www.rallenhome.com/ Setting the pwdLastSet to 0 will allow me to test the expired case, but I need to set it to a value that will create a password is about to expire test case. Responses I have gotten other places seem to indicate that this read-only field. Your response indicates that it is read-only-mostly, with the exception of a few special values. Any idea what controls what these special values are? or is there away I can assume some specific (system) security context and be allowed to update this attribute? Rex -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Robbie Allen Sent: Monday, June 16, 2003 12:34 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Updating pwdLastSet Actually you can set the pwdLastSet attribute to 0 (to force a password change at next logon) or -1 to disable password change at next logon. You cannot set a password expiration date though. Attached is a Perl script that will find users who have not changed their password in x number of days. The script could be easily modified to look at the max password age for the domain and notify users that have a password that is going to expire in x number of days. Let me know if you have any questions. Robbie Allen http://www.rallenhome.com/ -Original Message- From: Adam Wood [mailto:[EMAIL PROTECTED] Sent: Monday, June 16, 2003 2:53 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Updating pwdLastSet It is indeed read-only in Windows 2000. You could always script changes in date and time. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rex Wheeler Sent: 16 June 2003 18:05 To: [EMAIL PROTECTED] We are doing some integration work allowing other platforms (unix) to authenticate against Active Directory. We have succeeded in making this happen but are running into testing challenges. We would like to be able to write test scripts to verify that account and password expiration logic is working correctly. For example we want to test that if you have a policy that says you must change your password every 30 days and you last changed your password 25 days ago, you should get a warning message saying that you have 5 days to change your password. The problem is that we can't seem to update the pwdLastSet attribute. How can the value of this attribute be set? If it can not, does anyone have any ideas how to test such expiration logic without spending days of wall clock time? Thanks, Rex List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Updating pwdLastSet
Without hacking into LSASS this isn't possible except for being able to write a 0 or -1 which will set or clear the password must be changed on next logon flag. What you may consider doing is setting your test lab password policy to about 1 or 2 days and then you don't have to wait an exceedingly long time. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rex Wheeler Sent: Monday, June 16, 2003 1:05 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Updating pwdLastSet We are doing some integration work allowing other platforms (unix) to authenticate against Active Directory. We have succeeded in making this happen but are running into testing challenges. We would like to be able to write test scripts to verify that account and password expiration logic is working correctly. For example we want to test that if you have a policy that says you must change your password every 30 days and you last changed your password 25 days ago, you should get a warning message saying that you have 5 days to change your password. The problem is that we can't seem to update the pwdLastSet attribute. How can the value of this attribute be set? If it can not, does anyone have any ideas how to test such expiration logic without spending days of wall clock time? Thanks, Rex List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/