Re: [ActiveDir] max password age > where else to look?

[Al Mulnick]

Nah, I think joe's just lazy and doesn't want to type it again. And again. And again. And ag.....

 

http://groups.google.com/group/microsoft.public.win2000.active_directory/browse_thread/thread/639b5262e419fac8/0bbc9401b9d8a473?lnk=st&q=joe+91+days+policy&rnum=1&hl=en#0bbc9401b9d8a473

 

 

 

On 6/5/06, Steve <[EMAIL PROTECTED]> wrote:

Okay.  I'll ask the question that everyone else is afraid to....  why 91 and not 90? 

 

Cheers

 

On 5/31/06, joe <[EMAIL PROTECTED]> wrote:

:o)

 

I can imagine....

 

 

Something I like to recommend to folks is to monitor password changes. Depending on how big you are you may even want to do it daily. It is a great way to keep an eye open for various issues. For instance if passwords aren't being changed in the normal periods at the normal rates, your policy may not be working. If more than usual are being changed then possibly you have some DC issues. You will even be able to graph out the password changes and possibly find interesting trends. Oh to go along with this, I recommend a password age of 91 days for the obvious reasons... Actually I always recommend that over 90 days.

 

   joe 

---

From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Douglas W Stelley
Sent: Thursday, May 25, 2006 11:49 AM

To: ActiveDir@mail.activedir.org

Subject: RE: [ActiveDir] max password age > where else to look?

 

That was it, the policy needed to be re-applied. Boy did I cause hate and discontent when suddenly hundreds of users needed to change there password cause they had expired!
Thanks all

"joe" <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 05/24/2006 10:41 PM Please respond to ActiveDir@mail.activedir.org

To <ActiveDir@mail.activedir.org> cc Subject RE: [ActiveDir] max password age > where else to look?

Yeah doublecheck the value you are getting back from MaxPasswordAge, if zero, check out maxPwdAge attribute on the NC Head, possibly your policy isn't being applied properly.
 
   joe
 
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
 
 

---

From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Al Mulnick
Sent: Wednesday, May 24, 2006 4:47 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] max password age > where else to look?

What do you get if just before this:
If intMaxPwdAge < 0 Then
      WScript.Echo "The Maximum Password Age is set to 0 in the " & _
          "domain. Therefore, the password does not expire."

you echo the intMaxPwdAge value? I'm wondering if you're not pulling back the max password age value correctly either through a misspelling or some other error prevents you from getting the value.  Having used that method before, I can tell you it does work in a Windows 2000 environment and a  Windows 2003 environment.  Native, DFL, etc.
 
 
If that doesn't work, do you get the same results with this script? http://support.microsoft.com/default.aspx?scid=kb;en-us;323750



On 5/24/06, Douglas W Stelley < [EMAIL PROTECTED]> wrote:

In this domain, in the default domain policy the Max Password Age is set to 90, however when I look for when the password will change using the below sample script

I always get the answer  "The Maximum Password Age is set to 0 in the domain. Therefore, the password does not expire."

The rest of the possibilities below do work, just the password age doesn't.

This is a Win2K Active Directory

I need to expire all passwords on a specific date, but before I do that I need to ensure the system will continue expiring them by age.

What might I be doing wrong?

Thanks





Const SEC_IN_DAY = 86400
Const ADS_UF_DONT_EXPIRE_PASSWD = &h10000

Set objUserLDAP = GetObject _
("LDAP://CN=myerken,OU=management,DC=fabrikam,DC=com")
intCurrentValue = objUserLDAP.Get("userAccountControl")

If intCurrentValue and ADS_UF_DONT_EXPIRE_PASSWD Then
  Wscript.Echo "The password does not expire."
Else
  dtmValue = objUserLDAP.PasswordLastChanged
  Wscript.Echo "The password was last changed on " & _
      DateValue(dtmValue) & " at " & TimeValue(dtmValue) & VbCrLf & _
          "The difference between when the password was last set" &  _
              "and today is " & int(now - dtmValue) & " days"
  intTimeInterval = int(now - dtmValue)

  Set objDomainNT = GetObject("WinNT://fabrikam")
  intMaxPwdAge = objDomainNT.Get("MaxPasswordAge")
  If intMaxPwdAge < 0 Then
       WScript.Echo "The Maximum Password Age is set to 0 in the " & _
          "domain. Therefore, the password does not expire."
  Else
      intMaxPwdAge = (intMaxPwdAge/SEC_IN_DAY)
       Wscript.Echo "The maximum password age is " & intMaxPwdAge & " days"
      If intTimeInterval >= intMaxPwdAge Then
        Wscript.Echo "The password has expired."
      Else
        Wscript.Echo "The password will expire on " & _
            DateValue(dtmValue + intMaxPwdAge) & " (" & _
                int((dtmValue + intMaxPwdAge) - now) & " days from today" & _
                    ")."
      End If
  End If
End If