> Thanks for the pointers. > > My problem is not determining who needs to change their > password, rather it is setting up a test case where the user > will warned that their password is about to expire. What I am > testing is external authentication software that reads > pwdLastSet and other attributes out of the directory and > either logs the user into an external system; or prompts them > to change their password if it is about to expire; or forces > them to change their password if it has expired.
How close to the actual expiration is "about to expire" for you? If your max password age is 180 days, for testing purposes you could make the "about to expire" timeframe in your authentication software something like 170 days before expiration. Then you would need to test with a user that set their password 10 or more days ago (you can obviously adjust these numbers accordingly). Robbie Allen http://www.rallenhome.com/ > Setting the pwdLastSet to 0 will allow me to test the expired > case, but I need to set it to a value that will create a > "password is about to expire" test case. > > Responses I have gotten other places seem to indicate that > this read-only field. Your response indicates that it is > read-only-mostly, with the exception of a few special values. > > Any idea what controls what these special values are? or is > there away I can assume some specific (system) security > context and be allowed to update this attribute? > > Rex > > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Robbie Allen > Sent: Monday, June 16, 2003 12:34 PM > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] Updating pwdLastSet > > > Actually you can set the pwdLastSet attribute to 0 (to force > a password > change at next logon) or -1 to disable password change at > next logon. You > cannot set a password expiration date though. > > Attached is a Perl script that will find users who have not > changed their > password in x number of days. The script could be easily > modified to look > at the max password age for the domain and notify users that > have a password > that is going to expire in x number of days. Let me know if > you have any > questions. > > Robbie Allen > http://www.rallenhome.com/ > > > -----Original Message----- > > From: Adam Wood [mailto:[EMAIL PROTECTED] > > Sent: Monday, June 16, 2003 2:53 PM > > To: [EMAIL PROTECTED] > > Subject: RE: [ActiveDir] Updating pwdLastSet > > > > > > > > It is indeed read-only in Windows 2000. You could always > > script changes in date and time. > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Rex Wheeler > > Sent: 16 June 2003 18:05 > > To: [EMAIL PROTECTED] > > > > We are doing some integration work allowing other platforms > (unix) to > > authenticate against Active Directory. We have succeeded in > > making this > > happen but are running into testing challenges. > > > > We would like to be able to write test scripts to verify that > > account and > > password expiration logic is working correctly. For example > > we want to test > > that if you have a policy that says you must change your > > password every 30 > > days and you last changed your password 25 days ago, you > should get a > > warning message saying that you have 5 days to change your password. > > > > The problem is that we can't seem to update the pwdLastSet > > attribute. How > > can the value of this attribute be set? If it can not, does > > anyone have any > > ideas how to test such expiration logic without spending days > > of wall clock > > time? > > > > Thanks, > > > > Rex > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > > > List info : > > http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
