RE: [ActiveDir] max password age > where else to look?

Wed, 24 May 2006 19:42:06 -0700

Yeah doublecheck the value you are getting back from MaxPasswordAge, if zero, check out maxPwdAge attribute on the NC Head, possibly your policy isn't being applied properly.
 
   joe
 
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 
 
 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Wednesday, May 24, 2006 4:47 PM
To: [email protected]
Subject: Re: [ActiveDir] max password age > where else to look?

What do you get if just before this:
If intMaxPwdAge < 0 Then
       WScript.Echo "The Maximum Password Age is set to 0 in the " & _
           "domain. Therefore, the password does not expire."

 

you echo the intMaxPwdAge value? I'm wondering if you're not pulling back the max password age value correctly either through a misspelling or some other error prevents you from getting the value.  Having used that method before, I can tell you it does work in a Windows 2000 environment and a  Windows 2003 environment.  Native, DFL, etc.
 
 
If that doesn't work, do you get the same results with this script? http://support.microsoft.com/default.aspx?scid=kb;en-us;323750


 
On 5/24/06, Douglas W Stelley <[EMAIL PROTECTED]> wrote:

In this domain, in the default domain policy the Max Password Age is set to 90, however when I look for when the password will change using the below sample script

I always get the answer  "The Maximum Password Age is set to 0 in the domain. Therefore, the password does not expire."

The rest of the possibilities below do work, just the password age doesn't.

This is a Win2K Active Directory

I need to expire all passwords on a specific date, but before I do that I need to ensure the system will continue expiring them by age.

What might I be doing wrong?

Thanks





Const SEC_IN_DAY = 86400
Const ADS_UF_DONT_EXPIRE_PASSWD = &h10000

Set objUserLDAP = GetObject _
 ("LDAP://CN=myerken,OU=management,DC=fabrikam,DC=com")
intCurrentValue = objUserLDAP.Get("userAccountControl")

If intCurrentValue and ADS_UF_DONT_EXPIRE_PASSWD Then
   Wscript.Echo "The password does not expire."
Else
   dtmValue = objUserLDAP.PasswordLastChanged
   Wscript.Echo "The password was last changed on " & _
       DateValue(dtmValue) & " at " & TimeValue(dtmValue) & VbCrLf & _
           "The difference between when the password was last set" &  _
               "and today is " & int(now - dtmValue) & " days"
   intTimeInterval = int(now - dtmValue)
 
   Set objDomainNT = GetObject("WinNT://fabrikam")
   intMaxPwdAge = objDomainNT.Get("MaxPasswordAge")
   If intMaxPwdAge < 0 Then
        WScript.Echo "The Maximum Password Age is set to 0 in the " & _
           "domain. Therefore, the password does not expire."
   Else
       intMaxPwdAge = (intMaxPwdAge/SEC_IN_DAY)
        Wscript.Echo "The maximum password age is " & intMaxPwdAge & " days"
       If intTimeInterval >= intMaxPwdAge Then
         Wscript.Echo "The password has expired."
       Else
         Wscript.Echo "The password will expire on " & _
             DateValue(dtmValue + intMaxPwdAge) & " (" & _
                 int((dtmValue + intMaxPwdAge) - now) & " days from today" & _
                     ")."
       End If
   End If
End If

Reply via email to