From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas W Stelley
Sent: Thursday, May 25, 2006 11:49 AM
To: [email protected]
Subject: RE: [ActiveDir] max password age > where else to look?
That was it, the policy needed to be re-applied. Boy did I cause hate and discontent when suddenly hundreds of users needed to change there password cause they had expired!
Thanks all
| "joe"
<[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 05/24/2006 10:41 PM
|
|
Yeah doublecheck the value you are getting back from MaxPasswordAge, if zero, check out maxPwdAge attribute on the NC Head, possibly your policy isn't being applied properly.
joe
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Wednesday, May 24, 2006 4:47 PM
To: [email protected]
Subject: Re: [ActiveDir] max password age > where else to look?
What do you get if just before this:
If intMaxPwdAge < 0 Then
WScript.Echo "The Maximum Password Age is set to 0 in the " & _
"domain. Therefore, the password does not expire."
you echo the intMaxPwdAge value? I'm wondering if you're not
pulling back the max password age value correctly either through a misspelling
or some other error prevents you from getting the value. Having used that
method before, I can tell you it does work in a Windows 2000 environment and a
Windows 2003 environment. Native, DFL, etc.
If that
doesn't work, do you get the same results with this script? http://support.microsoft.com/default.aspx?scid=kb;en-us;323750
On 5/24/06,
Douglas W Stelley <[EMAIL PROTECTED]>
wrote:
In this domain, in the
default domain policy the Max Password Age is set to 90, however when I look for
when the password will change using the below sample script
I always get the answer "The
Maximum Password Age is set to 0 in the domain. Therefore, the password does not
expire."
The
rest of the possibilities below do work, just the password age doesn't.
This is a Win2K
Active Directory
I need to expire all passwords on a specific date, but before I do
that I need to ensure the system will continue expiring them by age.
What might I be
doing wrong?
Thanks
Const SEC_IN_DAY = 86400
Const
ADS_UF_DONT_EXPIRE_PASSWD = &h10000
Set objUserLDAP = GetObject
_
("LDAP://CN=myerken,OU=management,DC=fabrikam,DC=com")
intCurrentValue =
objUserLDAP.Get("userAccountControl")
If intCurrentValue and
ADS_UF_DONT_EXPIRE_PASSWD Then
Wscript.Echo "The password does not
expire."
Else
dtmValue = objUserLDAP.PasswordLastChanged
Wscript.Echo "The password was last changed on " & _
DateValue(dtmValue) & " at " & TimeValue(dtmValue) & VbCrLf
& _
"The difference between when the
password was last set" & _
"and today is " & int(now - dtmValue) & " days"
intTimeInterval = int(now - dtmValue)
Set objDomainNT =
GetObject("WinNT://fabrikam")
intMaxPwdAge =
objDomainNT.Get("MaxPasswordAge")
If intMaxPwdAge < 0
Then
WScript.Echo "The Maximum Password Age is set
to 0 in the " & _
"domain. Therefore,
the password does not expire."
Else
intMaxPwdAge = (intMaxPwdAge/SEC_IN_DAY)
Wscript.Echo "The maximum password age is " & intMaxPwdAge & "
days"
If intTimeInterval >= intMaxPwdAge
Then
Wscript.Echo "The password has
expired."
Else
Wscript.Echo "The password will expire on " & _
DateValue(dtmValue + intMaxPwdAge) & " (" &
_
int((dtmValue +
intMaxPwdAge) - now) & " days from today" & _
")."
End If
End If
End If
