none
password expiration date

    Question

  • When I use "net user username", I always get the result saying the password expires in 60 days since the last set" but our default domain policy defines password to expire in 45 days since the last set. So can someone advise how I can tell what date is the user's password to expire or shall I have to do some math from the last password set every single time?

    Thank you very much!

    Thursday, June 2, 2016 8:25 PM

Answers

All replies

  • I've posted in your other thread:
    https://social.technet.microsoft.com/Forums/en-US/1b1501b9-b13d-454b-84a3-c82cfe521829/domain-password-vs-local-computer-password?forum=winserverGP

    Can you tell use do you use older or modern Windows version for your AD?

    If you use modern Windows, you can use ADAC to easily find the account/password policy "effective policy".

    If you use older Windows, you may consider the Account Lockout tools extensions for ADUC


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Thursday, June 2, 2016 9:47 PM
  • Hi,

    According to my research, Active Directory calculates password expiration by reading the date when a user’s password was last changed (using the pwdLastSet attribute) and then reading the password policy (for the domain or AD container, depending on your AD functional level) for the account to determine the maximum password age. These two values are added to determine the password expiration value.

    password change date + password policy maximum password age = password expiration date

    The PwdLastSet attribute should reflect the date and time that the password for this account was last changed. The information comes from the official article:

    Pwd-Last-Set attribute

    https://msdn.microsoft.com/en-us/library/windows/desktop/ms679430(v=vs.85).aspx

    More article for your reference:

    How Active Directory Calculates Account Password Expiration Dates
    http://blog.webactivedirectory.com/2011/04/21/how-active-directory-calculates-account-password-expiration-dates/

    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, June 3, 2016 2:23 AM
    Moderator
  • What is the full name for ADAC so that I can find the link to download? Thank you very much, DonPick!!!
    Friday, June 3, 2016 3:09 PM
  • What is considered as older Windows version for AD? Our domain is running on Windows 2008 R2 server. My desktop is running Windows 10.  What is ADUC?

    Thank you very much!

    Friday, June 3, 2016 3:28 PM
  • What is ADUC?

    Active Directory Users & Computers console.

    AD Forests and Domains have various modes they can run in, Windows 2003 mode, Windows 2008 mode etc. I think Windows 2008 by default runs in Windows 2003 mode unless you set it to run in 2008 mode. This affects what features are available in AD.

    Friday, June 3, 2016 3:53 PM
  • I found ADAC that has already been installed on the server and my computer. Also I finally figured out where the password expiration of 60 days comes from. It is on the top of the domain's attribute. What confused me now is that it seems the attribute takes over the password expiration instead of the password policy that is defined in default domain policy.  And the password policy from the default domain policy becomes the password expiration for the local machine, while the attribute for the domain is the real domain user password expiration. Interesting!

    Shall I have to match the attribute settings with the password policy?

    Thank you very much!


    • Edited by L14507 Friday, June 3, 2016 4:29 PM modify
    Friday, June 3, 2016 4:20 PM
  • How to verify what mode our domain is running? Please advise!

    Thank you!!!

    Friday, June 3, 2016 5:08 PM
  • Go to the properties of the domain and the information shows as follows:

    domain functional level: Windows Server 2008 R2

    forest functional level: windows server 2008 R2

    Do they mean our domain is on Windows 2008 mode?

    Friday, June 3, 2016 5:11 PM
  • I found ADAC that has already been installed on the server and my computer. Also I finally figured out where the password expiration of 60 days comes from. It is on the top of the domain's attribute. What confused me now is that it seems the attribute takes over the password expiration instead of the password policy that is defined in default domain policy.  And the password policy from the default domain policy becomes the password expiration for the local machine, while the attribute for the domain is the real domain user password expiration. Interesting!

    Shall I have to match the attribute settings with the password policy?

    Thank you very much!


    ADUC is the tool introduced with WindowsServer2000 and is still available in newer versions of Windows.
    ADAC is a new tool introduced with WindowsServer2012.

    Some useful articles about password policy / account policy, and how the settings *can* be applied, and the *defaults*:

    https://blogs.manageengine.com/active-directory/2014/05/16/domain-password-policies-configuring-and-auditing-correctly.html

    http://kpytko.pl/active-directory-domain-services/setting-default-domain-password-policy/

    http://kpytko.pl/active-directory-domain-services/domain-password-policy/

    https://redmondmag.com/articles/2011/08/01/managing-active-directory-password-policies.aspx


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Friday, June 3, 2016 11:10 PM