Re: [ActiveDir] maxPwdAge property on AD2003

[Matjaž Ladava]

Title: [ActiveDir] maxPwdAge property on AD2003

I have an interesting observation about this one. If by default your MaxPwd policy is set to 42 days, then you will get (using the LDAP) 0 for LowPart and -8640 for High Part. If you change your MaxPwd policy to something else (ex. 45 days), then you will get   -1956036608 for LowPart and  -9053 for HighPart. But if you change your policy back to 42 days, then you will get 178683904 for LowPart and  -8449 for HighPart which is different from the original setting. Anyway, the calculation is always right if you omit is Lowpart=0 part of the script and use   MaxPwdAge = ABS((objMaxPwd.HighPart * 2^32) + objMaxPwd.LowPart)/(600000000 * 1440)   it should give you the right answer.   Regards   Matjaz Ladava, MCSE, MCSA, MCT, MVP Microsoft MVP - Active Directory [EMAIL PROTECTED], [EMAIL PROTECTED] http://ladava.com   ----- Original Message ----- From: Rich Milburn To: [EMAIL PROTECTED] Sent: Thursday, November 13, 2003 12:05 AM Subject: [ActiveDir] maxPwdAge property on AD2003 We have a strange problem... there are many examples of vbscripts for checking the password expiration setting on a domain.  It is set on the empty root domain, but not on the child domain.  So all the scripts correctly report that the max password age setting on the domain is 0.  However, when we run this script on the root, it says the same thing.  A guy ran it on his w2k3 domain at home and it worked.  And here, if you use a WinNT call instead of an LDAP one, it shows the setting correctly.  I know you want to see the code, so here it is: Set objDomain = GetObject("LDAP://abc.int/DC=abc,DC=int") Set objMaxPwdAge = objDomain.Get("maxPwdAge") WScript.Echo "password age is set to " & objMaxPwdAge.LowPart I have also run Robbie Allen's script from the AD Cookbook (thanks for that Robbie, great book btw): http://www.rallenhome.com/books/adcookbook/src/06.11-view_lockout_password_policy.vbs.txt I changed the configuration line to: strDomain = "abc.int"   ' e.g. rallencorp.com and it shows all the properties correctly EXCEPT maxPwdAge. However, this script works: Const MIN_IN_DAY = 1440, SEC_IN_MIN = 60 Set objDomain = GetObject("WinNT://abc") intMaxPwdAgeSeconds = objDomain.Get("MaxPasswordAge") intMaxPwdAgeDays = ((intMaxPwdAgeSeconds/SEC_IN_MIN)/MIN_IN_DAY) & " days" WScript.Echo "password age is set to " & intMaxPwdAgeDays I can give more details if this is not enough info.  We have checked to make sure that the setting is correct in the default domain policy object for that domain. Thanks Rich -------APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE-------  PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system.