How to learn whether a user password is expired or not in Active Directory?

Question

In my ASP.NET MVC (C#) project I must learn whether a user password is expired or not? I found some answers about that on the internet but they didn't be useful for me.

The first way to do using maxpwdage +pwdlastset= password expired date, and the second solution is that using useraccountcontrol attribute to learn whether it is expired or not. If this attribute's value is 8389120, user password is expired.

Altough user password is expired in AD, useraccountcontrolvalue is still 512. I tried to do with maxpwdage+pwdlastset but I couldn't see an attribute like maxpwdage (I got users as an administrator)

Active Directory user password expiration date .NET/OU Group Policy (first way) https://support.microsoft.com/en-us/kb/305144 (second way)

Both of them aren't working because of reasons that I mentioned above.

Are there any other ways to do this or how can i see value of the maxpwdage attribute?

EDIT: I am getting the user who i want from here

            DirectoryEntry dEntry = new DirectoryEntry
                        ( "LDAP://a.b.c:123/OU=d, DC=e, DC=f", this.GetAdUserName(),
                        this.GetAdUserPassword() );
            DirectorySearcher directorySearcher = new DirectorySearcher( dEntry );
            directorySearcher.Asynchronous = true;
            directorySearcher.CacheResults = true;
            directorySearcher.Filter = "(&(sAMaccountName=" + identificationNumber + "))";
            SearchResult user = directorySearcher.FindOne();
            return user;

I am checking user's properties but I couldn't find maxpwdage property.

Answer 1

You can use TimeSpan which represent time interval. And then all you need is check today's date and expired date.

DateTime expireDate = passwordLastChanged.AddDays(iMaxPwdAge);
TimeSpan ts = expireDate - DateTime.Now;
int iDaysTilExpired = ts.Days;
WriteLogMessage("Days til password expires:" + iDaysTilExpired);

And also there is a good example, I changed someparts for my project and it works for me.

Edit :

You can use attribute msDS-UserPasswordExpiryTimeComputed for getting user password expiration date.

and also

The 'maxPwdAge' attribute is held on the domainDNS class (the root of the directory) as it is part of policy. It is not held on the user object. If you are using .NET 2.0, you can get this easily:

using (DirectoryEntry domain = Domain.GetCurrentDomain())
{
    DirectorySearcher ds = new DirectorySearcher(
        domain,
        "(objectClass=*)",
        null,
        SearchScope.Base
        );

        SearchResult sr = ds.FindOne();

        TimeSpan maxPwdAge = TimeSpan.MinValue;

        if (sr.Properties.Contains("maxPwdAge"))
            maxPwdAge = TimeSpan.FromTicks((long)sr.Properties["maxPwdAge"][0]);
}

Edit 2 :

Here is full example you can use:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.DirectoryServices;

namespace LDAP
{
    class Program
    {
        static void Main(string[] args)
        {
            string domainAndUsername = string.Empty;
            string domain = string.Empty;
            string userName = string.Empty;
            string passWord = string.Empty;
            AuthenticationTypes at = AuthenticationTypes.Anonymous;
            StringBuilder sb = new StringBuilder();

            domain = @"LDAP://w.x.y.z";
            domainAndUsername = @"LDAP://w.x.y.z/cn=Lawrence E."+
                        " Smithmier\, Jr.,cn=Users,dc=corp,"+
                        "dc=productiveedge,dc=com";
            userName = "Administrator";
            passWord = "xxxpasswordxxx";
            at = AuthenticationTypes.Secure;

            DirectoryEntry entry = new DirectoryEntry(
                        domain, userName, passWord, at);

            DirectorySearcher mySearcher = new DirectorySearcher(entry);

            SearchResultCollection results;
            string filter = "maxPwdAge=*";
            mySearcher.Filter = filter;

            results = mySearcher.FindAll();
            long maxDays = 0;
            if(results.Count>=1)
            {
                Int64 maxPwdAge=(Int64)results[0].Properties["maxPwdAge"][0];
                maxDays = maxPwdAge/-864000000000;
            }

            DirectoryEntry entryUser = new DirectoryEntry(
                        domainAndUsername, userName, passWord, at);
            mySearcher = new DirectorySearcher(entryUser);

            results = mySearcher.FindAll();
            long daysLeft=0;
            if (results.Count >= 1)
            {
                var lastChanged = results[0].Properties["pwdLastSet"][0];
                daysLeft = maxDays - DateTime.Today.Subtract(
                        DateTime.FromFileTime((long)lastChanged)).Days;
            }
            Console.WriteLine(
                        String.Format("You must change your password within"+
                                      " {0} days"
                                     , daysLeft));
            Console.ReadLine();
        }
    }
}