Password Policy Control

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Hello,
I want to know whether Active Directory supports "Password Policy
Control" or not.
SunONE directory server has password controls.
It has these password controls
OID: 2.16.840.1.113730.3.4.4 (LDAP_CONTROL_PWEXPIRED)
OID: 2.16.840.1.113730.3.4.5 (LDAP_CONTROL_PWEXPIRING)

Can Active Directory server pass back information to client to tell the
status of directory controlled passwords, whether they have expired or
about to expire, and send a message to that affect instead of the
standard logon error message?

Thanks in advance

Regards,
Sanket
 
As per RFC, you query the rootdse for what supported controls are
supported. AD does not support those controls.

joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm
 
Hi
how can i get when user's password is expired and about to expire. can it be
done in C/C++.
 
You can't get it on the bind, you will need to query the directory for
the user object and work it out from the pwdLastSet attribute as well as
determine the domain expiration policy. I would also recommend checking
out the lockoutTime attribute as well as whether or not the account is
disabled (useraccountcontrol&2) and if the account is expired
(accountExpires).


If you are using ADAM you can look at the msDS-UserPasswordExpired,
msDS-UserAccountDisabled, ms-DS-UserAccountAutoLocked attributes of the
user object.



--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm
 
Back
Top