none
How to set "msDS-MaximumPasswordAge" to "Password never expires" with PowerShell

    Domanda

  • I am trying to set the "msDS-MaximumPasswordAge" to "Password never expires" by PowerShell. Actually this is done with a command like this:

    New-ADFineGrainedPasswordPolicy ... -MaxPasswordAge "365.00:00:00"

    In this example the passwords would expire after 365 days, but I want it to never expire.

    If I configure this policy with adsiedit.msc, I can use the term "(never)" successfully. The same is true for LDIF-Import, where the promising value is "-9223372036854775808" (I8-Format).

    I cannot find any helpfile or other source where the wanted value is mentioned. If I analyse a configured PSO (with the desired value already set) with "Get-ADFineGrainedPasswordPolicy" the returned value is "00:00:00", but it's not possible to set this value. At least: I am not able to do it successfully.

    Thanks in Advance, T.

    lunedì 4 ottobre 2010 18:51

Risposte

  • I'm not a PowerShell expert. I believe there is no policy for this. If so, you must modify all user objects where you want the password to never expire. If someone knows better, please reply. From the documentation, the following command will enable a specified user:

    Set-ADObject 'SaraDavis' -Replace @{<BitflagAttributeName>='512'}

    I assume "SaraDavis" is the "pre-Windows 2000 logon" name of the user (the value of the sAMAccountName attribute). The problem is that this command does not just reset the "Account Disabled" bit (the bit mask is &H2, or decimal 2). It assigns a completely new value to the userAccountControl attribute, which may undo other settings (like "Password Never Expires"). In this case, you need a command that sets the "Password Never Expires" (without affecting other settings), which is &H10000 (or 65536 in decimal). You also need a script that does this for all of the users desired.

    Richard Mueller


    MVP ADSI
    • Contrassegnato come risposta Bruce-Liu venerdì 15 ottobre 2010 11:31
    mercoledì 6 ottobre 2010 16:47
  • Whilst the New-ADFineGrainedPasswordPolicy doesn't accept "(never") or "-9223372036854775808", you can use Set-ADObject straight after to set the attribute value directly e.g.:

    New-ADFineGrainedPasswordPolicy -Name "New Password Policy" `

    -Precedence 1 `

    -ComplexityEnabled $True `

    -LockoutDuration "00:30:00" `

    -LockoutObservationWindow "00:30:00" `

    -LockoutThreshold 5 `

    -MinPasswordAge "0.00:00:00" `

    -MinPasswordLength 8 `

    -ReversibleEncryptionEnabled $False

    Set-ADObject "CN=New Password Policy,CN=Password Settings Container,CN=System,DC=my,DC=domain,DC=com" -Replace @{"msDS-MaximumPasswordAge"="-9223372036854775808"}

    Once you've applied this policy to a user you can check the user's msDS-UserPasswordExpiryTimeComputed attribute and see that it is set to (never) i.e. the value 9223372036854775807

    Hope this helps.


    • Modificato Andy Turner martedì 21 maggio 2013 11:53
    • Contrassegnato come risposta Thorsten _ martedì 21 maggio 2013 14:01
    martedì 21 maggio 2013 11:40

Tutte le risposte

  • Password never expires is a bit of the userAccountControl attribute. See this link:

    http://msdn.microsoft.com/en-us/library/aa746416(VS.85).aspx

    You are correct, mdDS-MaxPasswordAge cannot be set to zero.

    Richard Mueller


    MVP ADSI
    lunedì 4 ottobre 2010 19:50
  • Thanks for the reply, Richard.

    But this does not give me an answer to the question: Is it possible to create a PSO with New-ADFineGrainedPasswordPolicy if I want the passwords not to expire. I am really surprised about the fact, that this could be a problem. Keep in mind, that it is no problem to set the required value by adsiedit or by ldif-import.

    Thorsten

    mercoledì 6 ottobre 2010 04:18
  • I'm not a PowerShell expert. I believe there is no policy for this. If so, you must modify all user objects where you want the password to never expire. If someone knows better, please reply. From the documentation, the following command will enable a specified user:

    Set-ADObject 'SaraDavis' -Replace @{<BitflagAttributeName>='512'}

    I assume "SaraDavis" is the "pre-Windows 2000 logon" name of the user (the value of the sAMAccountName attribute). The problem is that this command does not just reset the "Account Disabled" bit (the bit mask is &H2, or decimal 2). It assigns a completely new value to the userAccountControl attribute, which may undo other settings (like "Password Never Expires"). In this case, you need a command that sets the "Password Never Expires" (without affecting other settings), which is &H10000 (or 65536 in decimal). You also need a script that does this for all of the users desired.

    Richard Mueller


    MVP ADSI
    • Contrassegnato come risposta Bruce-Liu venerdì 15 ottobre 2010 11:31
    mercoledì 6 ottobre 2010 16:47
  • Whilst the New-ADFineGrainedPasswordPolicy doesn't accept "(never") or "-9223372036854775808", you can use Set-ADObject straight after to set the attribute value directly e.g.:

    New-ADFineGrainedPasswordPolicy -Name "New Password Policy" `

    -Precedence 1 `

    -ComplexityEnabled $True `

    -LockoutDuration "00:30:00" `

    -LockoutObservationWindow "00:30:00" `

    -LockoutThreshold 5 `

    -MinPasswordAge "0.00:00:00" `

    -MinPasswordLength 8 `

    -ReversibleEncryptionEnabled $False

    Set-ADObject "CN=New Password Policy,CN=Password Settings Container,CN=System,DC=my,DC=domain,DC=com" -Replace @{"msDS-MaximumPasswordAge"="-9223372036854775808"}

    Once you've applied this policy to a user you can check the user's msDS-UserPasswordExpiryTimeComputed attribute and see that it is set to (never) i.e. the value 9223372036854775807

    Hope this helps.


    • Modificato Andy Turner martedì 21 maggio 2013 11:53
    • Contrassegnato come risposta Thorsten _ martedì 21 maggio 2013 14:01
    martedì 21 maggio 2013 11:40
  • Great. Thanks. T.
    martedì 21 maggio 2013 14:01