Error code 0x8000500D when trying to access PasswordLastChanged

Question

I'm writing a VBScript that will simply check each user in AD if their password has been changed within a given number of days. When I was trying to get it working for a single user, I came up with the following working code:

Option Explicit

Dim objUser, strLDAPConnection, intPwdExpLimit

strLDAPConnection = "CN=Test User,OU=Test,OU=Employees,DC=domain,DC=com"

intPwdExpLimit = 90

Set objUser = GetObject("LDAP://" + strLDAPConnection)

WScript.Echo DaysSincePwdChange(objUser)

Function DaysSincePwdChange(objUserAccount)
    DaysSincePwdChange = dateDiff("d", objUserAccount.PasswordLastChanged, Now)
End Function

So then I tried to get it to work by looping through all users in a Test OU with the following code:

Option Explicit

Const strOffice = "Test"

Dim objEmployeesOU, objUser, intPwdExpLimit

intPwdExpLimit = 90

Set objEmployeesOU = GetObject("LDAP://OU=" & strOffice & _
                     ",OU=Employees,DC=domain,DC=com")

For Each objUser In objEmployeesOU
    If objUser.class = "user" Then
        If ((DaysSincePwdChange(objUser)) >= intPwdExpLimit) Then
            MsgBox(objUser & ": Password Expired.")
        Else
            MsgBox(objUser & ": Password Current.")
        End If
    End If 
Next

Function DaysSincePwdChange(objUserAccount)
    DaysSincePwdChange = dateDiff("d", objUserAccount.PasswordLastChanged, Now)
End Function

The above code produces a 0x8000500D error and googling the error says that it can't find the property in the cache (referring to the PasswordLastSet property, see error description link here).

Any ideas why the first block of code works fine but the second has a problem accessing that property?

Answer 1

You can also use the Property Cache as demonstrated in the code below, the idea is:

1. Clear the property cache (objUser.PurgePropertyList).
2. Retrieve the attribute (objUser.GetInfoEx Array("pwdLastSet"), 0), this should populate the property cache with the value of the attribute if it has been set.
3. Check the property count in the property cache (If objUser.PropertyCount < 1 Then), if it is less than one, then the value of the attribute is not set, otherwise, retrieve the value of the attribute.

See also:

IADsPropertyList::PurgePropertyList method (iads.h)

How to trap error for empty directory property variable error 8000500D, somewhat a similar question.

Const strOffice = "Test"

Dim objEmployeesOU, objUser, intPwdExpLimit

intPwdExpLimit = 90

Set objEmployeesOU = GetObject("LDAP://OU=" & strOffice & _
                     ",OU=Employees,DC=domain,DC=com")

For Each objUser In objEmployeesOU
 If objUser.Class = "user" Then

  objUser.PurgePropertyList
  objUser.GetInfoEx Array("pwdLastSet"), 0

  If objUser.PropertyCount < 1 Then
   WSH.Echo objUser.DisplayName & ": Password has never been changed."
  Else
   If ((DaysSincePwdChange(objUser)) >= intPwdExpLimit) Then
    WSH.Echo objUser.DisplayName & ": Password Expired."
   Else
     WSH.Echo objUser.DisplayName & ": Password Current."
   End If
  End If

 End If
Next

Function DaysSincePwdChange(objUserAccount)
 DaysSincePwdChange = DateDiff("d", objUserAccount.PasswordLastChanged, Now)
End Function

Answer 2

Error code 0x8000500d means E_ADS_PROPERTY_NOT_FOUND. The password of the user has never been changed, so the property is not set. You could handle the condition like this:

Function DaysSincePwdChange(objUserAccount)
    On Error Resume Next
    DaysSincePwdChange = dateDiff("d", objUserAccount.PasswordLastChanged, Now)
    If Err Then
      If Err.Number = &h8000500d Then
        DaysSincePwdChange = -1
      Else
        WScript.Echo "Unexpected Error (0x" & Hex(Err.Number) & "): " & _
          Err.Description
        WScript.Quit 1
      End If
    End If
End Function

and modify the check like this:

passwordAge = DaysSincePwdChange(objUser)
If passwordAge >= intPwdExpLimit) Then
    MsgBox(objUser & ": Password Expired.")
ElseIf passwordAge = -1 Then
    MsgBox(objUser & ": Password never changed.")
Else
    MsgBox(objUser & ": Password Current.")
End If