none
How to set password expiration date of Active Directory user (VBScript)

    Question

  • I am writing an application that communicates with Active Directory and I need to test how it behaves when the password of a user account in Active Directory has only a few days until its expiration date.

    Therefore my question is: how can I set the password expiration date of a particular Active Directory user account to a date like "today + 2 days" (without changing the password expiration policy, of course!). I am looking for a way to do that using VBScript.

    I have already tried this approach:

    • Using IADsUser::PasswordExpirationDate, see code example below: Problem: setting PasswordExpirationDate fails with error code 0x800A01BD. It only succeeds with value 0 ("expire now").

    Code example:

    'VBScript
    strUserName = "test97" 
    Set objUser = GetObject("LDAP://CN=" & strUserName & ",CN=Users,DC=mydomain,DC=com") 
    dtmDate = Now+2 
    objUser.PasswordExpirationDate = dtmDate 
    objUser.SetInfo 
    MsgBox "Successfully changed password expiration date" 



     

    Monday, August 15, 2011 9:32 AM

Answers

  • It cannot be done.

    There is no user attribute for the date their password expires. Instead, the relevant attribute of the Active Directory user is the pwdLastSet attribute. This attribute is Integer8, a large 64-bit number that represents a date as the number of 100-nanosecond intervals since 12:00 AM January 1, 1601. The only value that AD allows you to assign to pwdLastSet is 0, which means the password was set in 1601, so long ago that it must be expired. When the user logs on and changes their password, AD then assigns the Integer8 value corresponding to the current date/time to pwdLastSet. Only the system (AD) can assign any value other than 0 to this attribute. The date the password expires is calculated as the date corresponding to the value of pwdLastSet, plus the maxPwdAge policy (also an Integer8 attribute).

    PasswordExpirationDate is a property method exposed by the IADsUser interface. It calculates the date a password expires from the pwdLastSet attribute of the user and the maxPwdAge attribute of the domain.

     


    Richard Mueller - MVP Directory Services
    Monday, August 15, 2011 10:11 AM
    Moderator

All replies

  • It cannot be done.

    There is no user attribute for the date their password expires. Instead, the relevant attribute of the Active Directory user is the pwdLastSet attribute. This attribute is Integer8, a large 64-bit number that represents a date as the number of 100-nanosecond intervals since 12:00 AM January 1, 1601. The only value that AD allows you to assign to pwdLastSet is 0, which means the password was set in 1601, so long ago that it must be expired. When the user logs on and changes their password, AD then assigns the Integer8 value corresponding to the current date/time to pwdLastSet. Only the system (AD) can assign any value other than 0 to this attribute. The date the password expires is calculated as the date corresponding to the value of pwdLastSet, plus the maxPwdAge policy (also an Integer8 attribute).

    PasswordExpirationDate is a property method exposed by the IADsUser interface. It calculates the date a password expires from the pwdLastSet attribute of the user and the maxPwdAge attribute of the domain.

     


    Richard Mueller - MVP Directory Services
    Monday, August 15, 2011 10:11 AM
    Moderator
  • It cannot be done.

    There is no user attribute for the date their password expires. Instead, the relevant attribute of the Active Directory user is the pwdLastSet attribute. This attribute is Integer8, a large 64-bit number that represents a date as the number of 100-nanosecond intervals since 12:00 AM January 1, 1601. The only value that AD allows you to assign to pwdLastSet is 0, which means the password was set in 1601, so long ago that it must be expired. When the user logs on and changes their password, AD then assigns the Integer8 value corresponding to the current date/time to pwdLastSet. Only the system (AD) can assign any value other than 0 to this attribute. The date the password expires is calculated as the date corresponding to the value of pwdLastSet, plus the maxPwdAge policy (also an Integer8 attribute).

    PasswordExpirationDate is a property method exposed by the IADsUser interface. It calculates the date a password expires from the pwdLastSet attribute of the user and the maxPwdAge attribute of the domain.

     


    Richard Mueller - MVP Directory Services

    Actually that's not quite completely accurate. There are two values that can be assigned to pwdLastSet: 0 and -1.

    Setting it to 0 does, as you mentioned, set it to 1601, but more importantly, regardless of password expiration policies on the domain, it sets the flag for "password must be changed on next logon"

    Setting it to -1 resets the pwdLastSet by changing it to the current time, effectively telling AD the password has just been changed (without actually changing it).

    Hope this helps.

    • Proposed as answer by cogumel0 Friday, June 08, 2012 1:51 PM
    Friday, June 08, 2012 1:51 PM
  • A further clarification. Yes, you can assign the value -1 to pwdLastSet. Because of the way 64-bit integers are saved in AD, this actually corresponds to the largest possible value that can be saved in a 64-bit integer, 2^63-1. This corresponds to a date way in the future (in the year 30828). When the user nexts logs on, this prompts Active Directory to then assign the value corresponding to the current date and time to the pwdLastSet attribute. This means that the password will expire maxPwdAge after the next logon (not maxPwdAge after the value -1 was assigned to pwdLastSet).


    Richard Mueller - MVP Directory Services

    Friday, June 08, 2012 2:01 PM
    Moderator
  • Please have a look  this post   http://wp.me/pBVRH-6V which describe to reset a user password expiry using attribute editor
    Friday, August 16, 2013 9:48 PM
  • Please have a look  this post   http://wp.me/pBVRH-6V which describe to reset a user password expiry using attribute editor

    For those of us who distrust short links (I HATE them, this isn't Twitter), this link goes here:

    http://seneej.com/2013/08/15/extending-password-expire-date-of-active-directory-user/

    The content is the same 0 and -1 tricks, with ADUC screenshots this time.

    Not exactly what you'd expect in a scripting forum, but still useful information.


    Don't retire TechNet!

    Friday, August 16, 2013 11:23 PM
  • is there a way to set user password expiry to today or at this time?


    Regards, Nag www.itsnag.info

    Wednesday, September 04, 2013 7:29 PM
  • is there a way to set user password expiry to today or at this time?

    1. This question is already marked as answered.

    2. Your question has already been answered in the previous replies.

    Bill

    Wednesday, September 04, 2013 7:51 PM
    Moderator
  • is there a way to set user password expiry to today or at this time?


    Regards, Nag www.itsnag.info

    Using 0 will immediately expire the password. If you have more questions, you should start up a new question. This one has been marked as answered for years.

    EDIT: Man, another time I should have refreshed first.... Something's wrong with me today.


    Don't retire TechNet! - (Maybe there's still a chance for hope, over 10,750+ strong and growing)



    Wednesday, September 04, 2013 8:04 PM