Sign in
 
HomeLibraryLearnDownloadsRepositoryCommunityForumsBlog
Script Center >
How to set password expiration date of Active Directory user (VBScript)

Answered How to set password expiration date of Active Directory user (VBScript)

  • Monday, August 15, 2011 9:32 AM
     
      Has Code
    Sign In to Vote
    0

    I am writing an application that communicates with Active Directory and I need to test how it behaves when the password of a user account in Active Directory has only a few days until its expiration date.

    Therefore my question is: how can I set the password expiration date of a particular Active Directory user account to a date like "today + 2 days" (without changing the password expiration policy, of course!). I am looking for a way to do that using VBScript.

    I have already tried this approach:

    • Using IADsUser::PasswordExpirationDate, see code example below: Problem: setting PasswordExpirationDate fails with error code 0x800A01BD. It only succeeds with value 0 ("expire now").

    Code example:

    'VBScript
strUserName = "test97" 
Set objUser = GetObject("LDAP://CN=" & strUserName & ",CN=Users,DC=mydomain,DC=com") 
dtmDate = Now+2 
objUser.PasswordExpirationDate = dtmDate 
objUser.SetInfo 
MsgBox "Successfully changed password expiration date"



     

     

All Replies

  • Monday, August 15, 2011 10:11 AM
    Moderator
     
     Answered
    Sign In to Vote
    0

    It cannot be done.

    There is no user attribute for the date their password expires. Instead, the relevant attribute of the Active Directory user is the pwdLastSet attribute. This attribute is Integer8, a large 64-bit number that represents a date as the number of 100-nanosecond intervals since 12:00 AM January 1, 1601. The only value that AD allows you to assign to pwdLastSet is 0, which means the password was set in 1601, so long ago that it must be expired. When the user logs on and changes their password, AD then assigns the Integer8 value corresponding to the current date/time to pwdLastSet. Only the system (AD) can assign any value other than 0 to this attribute. The date the password expires is calculated as the date corresponding to the value of pwdLastSet, plus the maxPwdAge policy (also an Integer8 attribute).

    PasswordExpirationDate is a property method exposed by the IADsUser interface. It calculates the date a password expires from the pwdLastSet attribute of the user and the maxPwdAge attribute of the domain.

     

    Richard Mueller - MVP Directory Services
     
  • Friday, June 08, 2012 1:51 PM
     
     Proposed Answer
    Sign In to Vote
    0

    It cannot be done.

    There is no user attribute for the date their password expires. Instead, the relevant attribute of the Active Directory user is the pwdLastSet attribute. This attribute is Integer8, a large 64-bit number that represents a date as the number of 100-nanosecond intervals since 12:00 AM January 1, 1601. The only value that AD allows you to assign to pwdLastSet is 0, which means the password was set in 1601, so long ago that it must be expired. When the user logs on and changes their password, AD then assigns the Integer8 value corresponding to the current date/time to pwdLastSet. Only the system (AD) can assign any value other than 0 to this attribute. The date the password expires is calculated as the date corresponding to the value of pwdLastSet, plus the maxPwdAge policy (also an Integer8 attribute).

    PasswordExpirationDate is a property method exposed by the IADsUser interface. It calculates the date a password expires from the pwdLastSet attribute of the user and the maxPwdAge attribute of the domain.

     

    Richard Mueller - MVP Directory Services

    Actually that's not quite completely accurate. There are two values that can be assigned to pwdLastSet: 0 and -1.

    Setting it to 0 does, as you mentioned, set it to 1601, but more importantly, regardless of password expiration policies on the domain, it sets the flag for "password must be changed on next logon"

    Setting it to -1 resets the pwdLastSet by changing it to the current time, effectively telling AD the password has just been changed (without actually changing it).

    Hope this helps.

    • Proposed As Answer by cogumel0 Friday, June 08, 2012 1:51 PM
    •  
     
  • Friday, June 08, 2012 2:01 PM
    Moderator
     
     
    Sign In to Vote
    0

    A further clarification. Yes, you can assign the value -1 to pwdLastSet. Because of the way 64-bit integers are saved in AD, this actually corresponds to the largest possible value that can be saved in a 64-bit integer, 2^63-1. This corresponds to a date way in the future (in the year 30828). When the user nexts logs on, this prompts Active Directory to then assign the value corresponding to the current date and time to the pwdLastSet attribute. This means that the password will expire maxPwdAge after the next logon (not maxPwdAge after the value -1 was assigned to pwdLastSet).

    Richard Mueller - MVP Directory Services