PwdLastSet

Nir B · Feb 16, 2006

Hi All,

My users need to change password every 90 days.

I have Users that their PwdLastSet value is larger then 90 days and they are
still doing login (I gathered the lastLogon from all DC's).

I saw that the common for these users is that they last logon is from
specific server.

I check the replication and it looks ok.

Any ideas?

Thanks,

Nir

Paul Bergson · Feb 18, 2006

If they had a password and then the policy was changed to 90 days from some
longer timespan or never expire the 90 day policy won't be applied until
they next change their password.

--

Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA
http://www.pbbergs.com/

This posting is provided "AS IS" with no warranties, and confers no rights.

Joe Richards [MVP] · Mar 5, 2006

The 90 day policy would apply immediately, it checks the pwdLastSet and if > 90
days, the account is expired, regardless of when they last changed their
password or when the policy was set.

If an account isn't expiring it is one of a few things

1. The account is personally configured not to expire

2. The DC the users are authenticating against is not using the same policy as
the rest of the domain because something is broken.

joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net

---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm

Paul Bergson · Mar 5, 2006

This is news to me. I have been told passwords aren't impacted until they
are changed.

--

Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA
http://www.pbbergs.com/

This posting is provided "AS IS" with no warranties, and confers no rights.

Joe Richards [MVP] · Mar 5, 2006

This is true for complexity and length rules. Lockout policy and expiration
policy apply immediately. So if I have a password of age 200 days and someone
slaps a expiration policy of 90 days into place, my account is immediately
expired and I will know it the next time I log in or the system attempts to
authenticate on my behalf (which happens throughout the day in Windows).

joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net

---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm

Paul Bergson · Mar 5, 2006

I didn't know that. I thought that a forced expiration was required.

--

Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA
http://www.pbbergs.com/

This posting is provided "AS IS" with no warranties, and confers no rights.

Joe Richards [MVP] · Mar 5, 2006

AD Password expiration is handled in a very simple way and done when a user
attempts to log on (or their account is otherwise trying to auth).

The current time/date is collected and converted to int8 format (64 bit FILETIME).

The expiration policy value is collected from the domain NC Head object, it is
the attribute called maxPwdAge. It is also an int8 value, negative value
actually. This is the delta to "add" to the current time/date value. So if the
value is say negative 10 days in 100 nanosecond units or "clicks" I sometimes
call them and your current date/time is March 12th 2PM, then you will get a
result of March 2 2PM.

Now the user's pwdLastSet value is pulled and if the value is less than the
adjusted value above, the account is expired.

So for real life example:

My test domain has maxPwdAge value of

maxPwdAge: -78624000000000

Say the current local time is 03/05/002006-16:23:10, which is 127860673900457020.

I now "add" the delta of the maxpwdage above.

127860673900457020 + (-78624000000000)

which gives a value of 127782049900457020.

Now I simply compare pwdLastSet against that value and anything less than it is
expired (unless they are marked to not expire of course). That specific value is

F:\DEV\cpp\FileTimeToString>filetimetostring 127782049900457020

FileTimeToString V01.01.00cpp Joe Richards ([email protected]) August 2004
In: 127782049900457020
Uli: 127782049900457020
FILE-TIME=127782049900457020
STRING-TIME=12/04/002005-16:23:10

So I grab a user I know is expired on my test domain and dump the pwdLastSet and
msds-user-account-control-computed which gives

F:\DEV\cpp\FileTimeToString>adfind -b CN=acltestuser,CN=Users,DC=joe,DC=com -s
base pwdlastset msds-user-account-control-computed

AdFind V01.31.00cpp Joe Richards ([email protected]) February 2006

Using server: 2k3dc02.joe.com:389
Directory: Windows Server 2003

dn:CN=acltestuser,CN=Users,DC=joe,DC=com

pwdLastSet: 127475098620324652
msDS-User-Account-Control-Computed: 8388608

1 Objects returned

the value 127475098620324652 is less than 127782049900457020 so the account is
expired, if I decode the values from above you can clearly see it as well

F:\DEV\cpp\FileTimeToString>adfind -b CN=acltestuser,CN=Users,DC=joe,DC=com -s
base pwdlastset msds-user-account-control-computed -tdc -samdc

AdFind V01.31.00cpp Joe Richards ([email protected]) February 2006

Using server: 2k3dc02.joe.com:389
Directory: Windows Server 2003

dn:CN=acltestuser,CN=Users,DC=joe,DC=com

pwdLastSet: 12/14/2004-09:57:42 Eastern Standard Time
msDS-User-Account-Control-Computed: 8388608 [EXPIRED(8388608)]

1 Objects returned

Lockout timing is handled in exactly the same way.

joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net

---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm

Paul Bergson · Mar 6, 2006

Wow... I'm impressed, nice details!!!

--

Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA
http://www.pbbergs.com/

This posting is provided "AS IS" with no warranties, and confers no rights.

Joe Richards said:
AD Password expiration is handled in a very simple way and done when a
user attempts to log on (or their account is otherwise trying to auth).

The current time/date is collected and converted to int8 format (64 bit
FILETIME).

The expiration policy value is collected from the domain NC Head object,
it is the attribute called maxPwdAge. It is also an int8 value, negative
value actually. This is the delta to "add" to the current time/date value.
So if the value is say negative 10 days in 100 nanosecond units or
"clicks" I sometimes call them and your current date/time is March 12th
2PM, then you will get a result of March 2 2PM.

Now the user's pwdLastSet value is pulled and if the value is less than
the adjusted value above, the account is expired.

So for real life example:

My test domain has maxPwdAge value of

maxPwdAge: -78624000000000

Click to expand...

Say the current local time is 03/05/002006-16:23:10, which is
127860673900457020.

I now "add" the delta of the maxpwdage above.

127860673900457020 + (-78624000000000)

which gives a value of 127782049900457020.

Now I simply compare pwdLastSet against that value and anything less than
it is expired (unless they are marked to not expire of course). That
specific value is

F:\DEV\cpp\FileTimeToString>filetimetostring 127782049900457020

FileTimeToString V01.01.00cpp Joe Richards ([email protected]) August 2004
In: 127782049900457020
Uli: 127782049900457020
FILE-TIME=127782049900457020
STRING-TIME=12/04/002005-16:23:10

So I grab a user I know is expired on my test domain and dump the
pwdLastSet and msds-user-account-control-computed which gives

F:\DEV\cpp\FileTimeToString>adfind -b
CN=acltestuser,CN=Users,DC=joe,DC=com -s base pwdlastset
msds-user-account-control-computed

AdFind V01.31.00cpp Joe Richards ([email protected]) February 2006

Using server: 2k3dc02.joe.com:389
Directory: Windows Server 2003

dn:CN=acltestuser,CN=Users,DC=joe,DC=com

pwdLastSet: 127475098620324652
msDS-User-Account-Control-Computed: 8388608

Click to expand...

1 Objects returned

the value 127475098620324652 is less than 127782049900457020 so the
account is expired, if I decode the values from above you can clearly see
it as well

F:\DEV\cpp\FileTimeToString>adfind -b
CN=acltestuser,CN=Users,DC=joe,DC=com -s base pwdlastset
msds-user-account-control-computed -tdc -samdc

AdFind V01.31.00cpp Joe Richards ([email protected]) February 2006

Using server: 2k3dc02.joe.com:389
Directory: Windows Server 2003

dn:CN=acltestuser,CN=Users,DC=joe,DC=com

pwdLastSet: 12/14/2004-09:57:42 Eastern Standard Time
msDS-User-Account-Control-Computed: 8388608 [EXPIRED(8388608)]

Click to expand...

1 Objects returned

Lockout timing is handled in exactly the same way.

joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net

---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm

Paul said:

I didn't know that. I thought that a forced expiration was required.

Click to expand...

Joe Richards [MVP] · Mar 18, 2006

lol no problem.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net

---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm

PwdLastSet

Nir B

Paul Bergson

Joe Richards [MVP]

Paul Bergson

Joe Richards [MVP]

Paul Bergson

Joe Richards [MVP]

Paul Bergson

Joe Richards [MVP]