RE: [ActiveDir] max password age > where else to look?

[Gil Kirkpatrick]

Think “divisble by 7”…   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, June 06, 2006 12:36 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] max password age > where else to look?   I'll second guess joe - 91 stops ppl from using cyclic passwords, which use dates or quarters to generate a password. e.g. passwordq12006, passwordq22006 etc.   Hopefully joe will give an authoritative response :)   neil   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Sent: 05 June 2006 22:59 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] max password age > where else to look? Okay.  I'll ask the question that everyone else is afraid to....  why 91 and not 90?    Cheers   On 5/31/06, joe <[EMAIL PROTECTED]> wrote: :o)   I can imagine....     Something I like to recommend to folks is to monitor password changes. Depending on how big you are you may even want to do it daily. It is a great way to keep an eye open for various issues. For instance if passwords aren't being changed in the normal periods at the normal rates, your policy may not be working. If more than usual are being changed then possibly you have some DC issues. You will even be able to graph out the password changes and possibly find interesting trends. Oh to go along with this, I recommend a password age of 91 days for the obvious reasons... Actually I always recommend that over 90 days.      joe    From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Douglas W Stelley Sent: Thursday, May 25, 2006 11:49 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] max password age > where else to look?   That was it, the policy needed to be re-applied. Boy did I cause hate and discontent when suddenly hundreds of users needed to change there password cause they had expired! Thanks all "joe" <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 05/24/2006 10:41 PM Please respond to ActiveDir@mail.activedir.org To <ActiveDir@mail.activedir.org> cc   Subject RE: [ActiveDir] max password age > where else to look?   Yeah doublecheck the value you are getting back from MaxPasswordAge, if zero, check out maxPwdAge attribute on the NC Head, possibly your policy isn't being applied properly.      joe   -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm     From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Al Mulnick Sent: Wednesday, May 24, 2006 4:47 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] max password age > where else to look? What do you get if just before this: If intMaxPwdAge < 0 Then       WScript.Echo "The Maximum Password Age is set to 0 in the " & _           "domain. Therefore, the password does not expire." you echo the intMaxPwdAge value? I'm wondering if you're not pulling back the max password age value correctly either through a misspelling or some other error prevents you from getting the value.  Having used that method before, I can tell you it does work in a Windows 2000 environment and a  Windows 2003 environment.  Native, DFL, etc.     If that doesn't work, do you get the same results with this script? http://support.microsoft.com/default.aspx?scid=kb;en-us;323750 On 5/24/06, Douglas W Stelley < [EMAIL PROTECTED]> wrote: In this domain, in the default domain policy the Max Password Age is set to 90, however when I look for when the password will change using the below sample script I always get the answer  "The Maximum Password Age is set to 0 in the domain. Therefore, the password does not expire." The rest of the possibilities below do work, just the password age doesn't. This is a Win2K Active Directory I need to expire all passwords on a specific date, but before I do that I need to ensure the system will continue expiring them by age. What might I be doing wrong? Thanks Const SEC_IN_DAY = 86400 Const ADS_UF_DONT_EXPIRE_PASSWD = &h10000 Set objUserLDAP = GetObject _ ("LDAP://CN=myerken,OU=management,DC=fabrikam,DC=com") intCurrentValue = objUserLDAP.Get("userAccountControl") If intCurrentValue and ADS_UF_DONT_EXPIRE_PASSWD Then   Wscript.Echo "The password does not expire." Else   dtmValue = objUserLDAP.PasswordLastChanged   Wscript.Echo "The password was last changed on " & _       DateValue(dtmValue) & " at " & TimeValue(dtmValue) & VbCrLf & _           "The difference between when the password was last set" &  _               "and today is " & int(now - dtmValue) & " days"   intTimeInterval = int(now - dtmValue)   Set objDomainNT = GetObject("WinNT://fabrikam")   intMaxPwdAge = objDomainNT.Get("MaxPasswordAge")   If intMaxPwdAge < 0 Then        WScript.Echo "The Maximum Password Age is set to 0 in the " & _           "domain. Therefore, the password does not expire."   Else       intMaxPwdAge = (intMaxPwdAge/SEC_IN_DAY)        Wscript.Echo "The maximum password age is " & intMaxPwdAge & " days"       If intTimeInterval >= intMaxPwdAge Then         Wscript.Echo "The password has expired."       Else         Wscript.Echo "The password will expire on " & _             DateValue(dtmValue + intMaxPwdAge) & " (" & _                 int((dtmValue + intMaxPwdAge) - now) & " days from today" & _                     ")."       End If   End If End If   PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies.