Actually you can set the pwdLastSet attribute to 0 (to force a password
change at next logon) or -1 to disable password change at next logon. You
cannot set a password expiration date though.
Attached is a Perl script that will find users who have not changed their
password in x number of days. The script could be easily modified to look
at the max password age for the domain and notify users that have a password
that is going to expire in x number of days. Let me know if you have any
questions.
Robbie Allen
http://www.rallenhome.com/
> -----Original Message-----
> From: Adam Wood [mailto:[EMAIL PROTECTED]
> Sent: Monday, June 16, 2003 2:53 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] Updating pwdLastSet
>
>
>
> It is indeed read-only in Windows 2000. You could always
> script changes in date and time.
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Rex Wheeler
> Sent: 16 June 2003 18:05
> To: [EMAIL PROTECTED]
>
> We are doing some integration work allowing other platforms (unix) to
> authenticate against Active Directory. We have succeeded in
> making this
> happen but are running into testing challenges.
>
> We would like to be able to write test scripts to verify that
> account and
> password expiration logic is working correctly. For example
> we want to test
> that if you have a policy that says you must change your
> password every 30
> days and you last changed your password 25 days ago, you should get a
> warning message saying that you have 5 days to change your password.
>
> The problem is that we can't seem to update the pwdLastSet
> attribute. How
> can the value of this attribute be set? If it can not, does
> anyone have any
> ideas how to test such expiration logic without spending days
> of wall clock
> time?
>
> Thanks,
>
> Rex
> List info : http://www.activedir.org/mail_list.htm
> List FAQ : http://www.activedir.org/list_faq.htm
> List archive:
> http://www.mail-archive.com/activedir%> 40mail.activedir.org/
>
>
> List info :
> http://www.activedir.org/mail_list.htm
> List FAQ : http://www.activedir.org/list_faq.htm
> List archive:
> http://www.mail-archive.com/activedir%> 40mail.activedir.org/
>
# Author: Robbie Allen ([EMAIL PROTECTED])
# This code finds the users who have not changed their password in a number of days
# ------ SCRIPT CONFIGURATION ------
# Domain and container/OU to check for accounts that are about to expire
my $domain = 'test.com';
my $cont = ''; # set to empty string to query entire domain
# Or set to a relative path in the domain, e.g. cn=Users
# Days since password change
my $days_ago = 60 # e.g. 60;
# ------ END CONFIGURATION ---------
use strict;
use Win32::OLE;
$Win32::OLE::Warn = 3;
use Math::BigInt;
# Need to convert the number of seconds from $day_ago
# to a large integer for comparison against pwdLastSet
my $past_secs = time - 60*60*24*$days_ago;
my $intObj = Math::BigInt->new($past_secs);
$intObj = Math::BigInt->new($intObj->bmul('10 000 000'));
my $past_largeint = Math::BigInt->new($intObj->badd('116 444 736 000 000 000'));
$past_largeint =~ s/^[+-]//;
# Setup the ADO connections
my $connObj = Win32::OLE->new('ADODB.Connection');
$connObj->{Provider} = "ADsDSOObject";
# Set these next two if you need to authenticate
# $connObj->Properties->{'User ID'} = '<User>';
# $connObj->Properties->{'Password'} = '<Password>';
$connObj->Open;
my $commObj = Win32::OLE->new('ADODB.Command');
$commObj->{ActiveConnection} = $connObj;
$commObj->Properties->{'Page Size'} = 1000;
# Grab the default domain naming context
my $rootDSE = Win32::OLE->GetObject("LDAP://$domain/RootDSE";);
my $rootNC = $rootDSE->Get("defaultNamingContext");
# Run ADO query and print results
$cont .= "," if $cont and not $cont =~ /,$/;
my $query = "<LDAP://$domain/$cont$rootNC>;";
$query .= "(&(objectclass=user)";
$query .= "(objectcategory=Person)";
$query .= "(!useraccountcontrol:1.2.840.113556.1.4.803:=2)";
$query .= "(pwdLastSet<=$past_largeint)";
$query .= "(!pwdLastSet=0));";
$query .= "cn,distinguishedName;";
$query .= "subtree";
$commObj->{CommandText} = $query;
my $resObj = $commObj->Execute($query);
die "Could not query $domain: ",$Win32::OLE::LastError,"\n" unless ref $resObj;
print "\nUsers who have not set their password in $days_ago days or longer:\n";
my $total = 0;
while (!($resObj->EOF)) {
print "\t",$resObj->Fields("distinguishedName")->value,"\n";
$total++;
$resObj->MoveNext;
}
print "Total: $total\n";
