Thanks for the pointers. My problem is not determining who needs to change their password, rather it is setting up a test case where the user will warned that their password is about to expire. What I am testing is external authentication software that reads pwdLastSet and other attributes out of the directory and either logs the user into an external system; or prompts them to change their password if it is about to expire; or forces them to change their password if it has expired.
Setting the pwdLastSet to 0 will allow me to test the expired case, but I need to set it to a value that will create a "password is about to expire" test case. Responses I have gotten other places seem to indicate that this read-only field. Your response indicates that it is read-only-mostly, with the exception of a few special values. Any idea what controls what these special values are? or is there away I can assume some specific (system) security context and be allowed to update this attribute? Rex -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Robbie Allen Sent: Monday, June 16, 2003 12:34 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Updating pwdLastSet Actually you can set the pwdLastSet attribute to 0 (to force a password change at next logon) or -1 to disable password change at next logon. You cannot set a password expiration date though. Attached is a Perl script that will find users who have not changed their password in x number of days. The script could be easily modified to look at the max password age for the domain and notify users that have a password that is going to expire in x number of days. Let me know if you have any questions. Robbie Allen http://www.rallenhome.com/ > -----Original Message----- > From: Adam Wood [mailto:[EMAIL PROTECTED] > Sent: Monday, June 16, 2003 2:53 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Updating pwdLastSet > > > > It is indeed read-only in Windows 2000. You could always > script changes in date and time. > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Rex Wheeler > Sent: 16 June 2003 18:05 > To: [EMAIL PROTECTED] > > We are doing some integration work allowing other platforms (unix) to > authenticate against Active Directory. We have succeeded in > making this > happen but are running into testing challenges. > > We would like to be able to write test scripts to verify that > account and > password expiration logic is working correctly. For example > we want to test > that if you have a policy that says you must change your > password every 30 > days and you last changed your password 25 days ago, you should get a > warning message saying that you have 5 days to change your password. > > The problem is that we can't seem to update the pwdLastSet > attribute. How > can the value of this attribute be set? If it can not, does > anyone have any > ideas how to test such expiration logic without spending days > of wall clock > time? > > Thanks, > > Rex > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > List info : > http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
