Reputation: 9815
ASP.NET C# Active Directory - See how long before a user's password expires
I have an interesting problem, I am writing a password management webpage/service and I am trying to find a way to determine when a user's password is going to expire so I can manually reset their other passwords with it and send out an email, etc.
The problem I'm having is that when trying to loop through my users I'm getting the bulk of them not having a pwdlastset attribute so I can't determine when it's going to expire.
So I guess I am looking for ideas on a good way to check for when a user's password is going to expire aside from using the pwdlastset property and calculating the time left.
Thanks a bunch.
Upvotes: 4
Views: 6328
Answers (3)
Reputation: 754368
It's actually quite a bit more complicated than you might think at first...
- in order to know how long a password can be valid, you need to read a "domain policy" and find out that way
Then:
- if the user has the "UF_DONT_EXPIRE_PASSWD" flag set in his "userAccountControl", his password will never expire
- if the "pwdLastSet" value (a "ADSLargeInteger" or Int64 value, which is rather tricky to read in the first place) is 0, the user will have to change his password the next time he logs on
- if the "pwdLastSet" value is -1, the password has never been set
- only if none of the above are true, then the "pwdLastSet" value contains the date when the password was last set, to which you can add the "MaxPasswordAge" from the domain policy, and this will give you the date when the user's password is going to expire
Phew! Did you think it would be this tricky? :-)
Marc
PS: If you're serious about .NET based AD programming, you ought to have this book:
The .NET Developer's Guide to Directory Services Programming
The book contains all the goodies like determining user's password expiration dates, determining user account lockout state and much much more - highly recommended! Joe and Ryan did an outstanding job getting all this information together and explaining it so that even an average Joe programmer like myself can understand it :-)
Upvotes: 8
Reputation: 2313
Here's another approach:
public static DateTime GetPasswordExpirationDate(UserPrincipal user)
{
DirectoryEntry deUser = (DirectoryEntry)user.GetUnderlyingObject();
ActiveDs.IADsUser nativeDeUser = (ActiveDs.IADsUser)deUser.NativeObject;
return nativeDeUser.PasswordExpirationDate;
}
You'll need to add a reference to the ActiveDS COM library typically found at C:\Windows\System32\activeds.tlb.
Upvotes: 0
Reputation: 7484
As far as I know, if pwdlastset is zero or missing, the user is either required to change their password at the next logon or their account is setup with a non-expiring password. Could this be the cause of what you are seeing?
Upvotes: 0
Related Questions
- How to get user's password expiration date from Active Directory?
- Active Directory - check if password never expires?
- PrincipalContext & UserPrincipal how to know when password expires?
- Determine when a the current user account's password is about to expire
- C# AD users password expiry
- Active Directory Password Expiration Date
- How can I find out an ADUser's password expiry date or days left until password expiry?
- How to detect if a user's password has expired
- .NET Active Directory Password Expiration on Windows 2008
- Validate Expired Password in active directory