It seems I had that backward - checking "require change at next logon" sets pwdLastSet to 0 and afterward unchecking it sets it to -1. I've done some research and understand that the "0" value is standard. I don't understand the -1, however. My testing shows when this is set to -1, the password does not seem to be expired and the user can login without changing their password. Effectively, the user has a valid password that will never expire. Imagine this scenario.
Thanks, Thomas On Wed, Jan 30, 2013 at 9:00 AM, Thomas Simmons <[email protected]> wrote: > Hello, > > I am in the process of updating a bunch of scripts and tools that I had > created for use with our Samba 3 domain. I am currently working on a script > that emails a password expiration warning. I have the script setup to query > the pwdLastSet attribute for each user. It then performs some simple math > to figure out when the password will expire and when the notification > emails should start. Everything is working for the most part, however I > found that if the "User must change password at next logon" box is checked > when an Admin resets a password, pwdLastSet gets set to -1. If I then go > into the account properties AFTER the reset, and uncheck this option under > the account tab, pwdLastSet gets changed from -1 to 0. Both of these screw > up my calculations. Is this normal Active Directory behavior? I can alter > the script to specifically look for those values and take some action if > this is normal behavior - I simply want to make sure. Are there any other > cases where pwdLastSet would not be a "proper" AD timestamp? > > Thanks, > Thomas > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
