That was it, the policy needed to be re-applied. Boy did I cause hate and discontent when suddenly hundreds of users needed to change there password cause they had expired!
Thanks all
| "joe" <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED] 05/24/2006 10:41 PM
|
|
Yeah doublecheck the value you are getting back from MaxPasswordAge, if zero, check out maxPwdAge attribute on the NC Head, possibly your policy isn't being applied properly.
joe
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Wednesday, May 24, 2006 4:47 PM
To: [email protected]
Subject: Re: [ActiveDir] max password age > where else to look?
What do you get if just before this:
If intMaxPwdAge < 0 Then
WScript.Echo "The Maximum Password Age is set to 0 in the " & _
"domain. Therefore, the password does not expire."
you echo the intMaxPwdAge value? I'm wondering if you're
not pulling back the max password age value correctly either through a
misspelling or some other error prevents you from getting the value. Having
used that method before, I can tell you it does work in a Windows 2000
environment and a Windows 2003 environment. Native, DFL, etc.
If that doesn't work, do you get the same results with
this script? http://support.microsoft.com/default.aspx?scid=kb;en-us;323750
On 5/24/06, Douglas W Stelley <[EMAIL PROTECTED]>
wrote:
In this domain, in the default domain policy the Max Password Age is set
to 90, however when I look for when the password will change using the
below sample script
I always get the answer "The Maximum Password Age is set to
0 in the domain. Therefore, the password does not expire."
The rest of the possibilities below do work, just the password age doesn't.
This is a Win2K Active Directory
I need to expire all passwords on a specific date, but before I do that
I need to ensure the system will continue expiring them by age.
What might I be doing wrong?
Thanks
Const SEC_IN_DAY = 86400
Const ADS_UF_DONT_EXPIRE_PASSWD = &h10000
Set objUserLDAP = GetObject _
("LDAP://CN=myerken,OU=management,DC=fabrikam,DC=com")
intCurrentValue = objUserLDAP.Get("userAccountControl")
If intCurrentValue and ADS_UF_DONT_EXPIRE_PASSWD Then
Wscript.Echo "The password does not expire."
Else
dtmValue = objUserLDAP.PasswordLastChanged
Wscript.Echo "The password was last changed on " &
_
DateValue(dtmValue) & " at " &
TimeValue(dtmValue) & VbCrLf & _
"The difference between when the
password was last set" & _
"and today is "
& int(now - dtmValue) & " days"
intTimeInterval = int(now - dtmValue)
Set objDomainNT = GetObject("WinNT://fabrikam")
intMaxPwdAge = objDomainNT.Get("MaxPasswordAge")
If intMaxPwdAge < 0 Then
WScript.Echo "The Maximum Password Age
is set to 0 in the " & _
"domain. Therefore, the password
does not expire."
Else
intMaxPwdAge = (intMaxPwdAge/SEC_IN_DAY)
Wscript.Echo "The maximum password age
is " & intMaxPwdAge & " days"
If intTimeInterval >= intMaxPwdAge Then
Wscript.Echo "The password has expired."
Else
Wscript.Echo "The password will expire
on " & _
DateValue(dtmValue + intMaxPwdAge)
& " (" & _
int((dtmValue
+ intMaxPwdAge) - now) & " days from today" & _
")."
End If
End If
End If
