Basically when a user logs on, the DC processing the authentication retrieves the local time in Int8 format and the value of maxPwdAge on the NC Head. It then subtracts the maxPwdAge[1] from the local time Int8 value and checks the pwdLastSet value of the user attempting to log on. If the pwdLastSet value is less than the previously calculated value then the account is considered expired and the account can not be logged into.
That is the long technical way of saying, the latter... ;o) Something similar occurs with lockouts only the NC head attribute is lockoutDuration and the user attribute is lockoutTime and the account is locked out still if the lockoutTime value is greater than the calculated value. If the account is determined to be outside of the lockout duration the DC at that point clears the lockoutTime value[2]. joe [1] Actually it adds it, the maxPwdAge value is negative but I didn't want to throw people for a loop by saying adds it if they didn't look at the value or understand you can add a positive value and a negative value. [2] I state this for those who look at a user with a lockoutTime value but know the account isn't locked and wonder what is going on. This was a bug in ADUC for some time where if there was any value in lockoutTime, the account was considered locked. I think they fixed it but I am not sure, I hope so as I bugged it like 10 times since December 1999. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Christine Allen Sent: Monday, June 26, 2006 5:09 AM To: [email protected] Subject: [ActiveDir] Password Expiration We have a 120 day password expiration GPO. What happens if a user changes their password in the 120 day time period? Do they still get prompted with the whole domain does or do they get prompted 120 days after their reset their password? Thanks. -Christine Christine N. Allen Systems Engineer BMC HealthNet Plan 2 Copley Place Boston, MA 02216 617-748-6034 617-293-4407 List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
