What is value for maxPwdAge in AD (weird value in one of ours)?

  • Thread starter Thread starter ohaya
  • Start date Start date
O

ohaya

Hi,

We have some code that runs intermittently against our ADs in several
environments (these "environments" are completely separate from each
other), and it uses maxPwdAge to determine when the passwords for
users are going to expire.

In 2 of the environments, they have it set to 90 and 60 days, and
maxPwdAge shows up as large negative numbers.

However, in the 3rd one, maxPwdAge is appearing as "15552000", which
calculates to 180 days in seconds.

Does anyone know why maxPwdAge would be a positive number in that one
environment, vs. large negative number in the other ones?

Thanks,
Jim
 
Jim said:
We have some code that runs intermittently against our ADs in several
environments (these "environments" are completely separate from each
other), and it uses maxPwdAge to determine when the passwords for
users are going to expire.

In 2 of the environments, they have it set to 90 and 60 days, and
maxPwdAge shows up as large negative numbers.

However, in the 3rd one, maxPwdAge is appearing as "15552000", which
calculates to 180 days in seconds.

Does anyone know why maxPwdAge would be a positive number in that one
environment, vs. large negative number in the other ones?
Click to expand...

The maxPwdAge attribute of the domain object is datatype Integer8, a 64-bit
value. The value corresponds to the age in 100-nanosecond intervals (not
seconds). I'm used to handling this in VBScript using the IADsLargeInteger
interface, which has a HighPart and LowPart method that breaks the 64-bit
value into two 32-bit values. The value is either 0 or a negative value,
similar to an offset. Due to quirks in the way signed integers are handled,
if the LowPart method returns a negative value, the value returned by the
HighPart method should be increased by 1. I use the following VBScript code
to convert maxPwdAge attribute to days:
========
' Determine domain maximum password age policy in days.
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("DefaultNamingContext")
Set objDomain = GetObject("LDAP://" & strDNSDomain)
Set objMaxPwdAge = objDomain.MaxPwdAge

' Account for bug in IADslargeInteger property methods.
lngHighAge = objMaxPwdAge.HighPart
lngLowAge = objMaxPwdAge.LowPart
If (lngLowAge < 0) Then
lngHighAge = lngHighAge + 1
End If
' Convert to days.
intMaxPwdAge = -((lngHighAge * 2^32) _
+ lngLowAge)/(600000000 * 1440)
========
We don't know how your code converts the Integer8 value into seconds. It
probably is flawed.

As an example, in my domain ADSI Edit reveals that maxPwdAge
is -37,108,517,437,440. My script reveals that HighPart returns -8640 and
LowPart returns 0, which works out to the same number of 100-nanosecond
intervals. This converts to 42.94967 days.
 
The maxPwdAge attribute of the domain object is datatype Integer8, a 64-bit
value. The value corresponds to the age in 100-nanosecond intervals (not
seconds). I'm used to handling this in VBScript using the IADsLargeInteger
interface, which has a HighPart and LowPart method that breaks the 64-bit
value into two 32-bit values. The value is either 0 or a negative value,
similar to an offset. Due to quirks in the way signed integers are handled,
if the LowPart method returns a negative value, the value returned by the
HighPart method should be increased by 1. I use the following VBScript code
to convert maxPwdAge attribute to days:
========
' Determine domain maximum password age policy in days.
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("DefaultNamingContext")
Set objDomain = GetObject("LDAP://" & strDNSDomain)
Set objMaxPwdAge = objDomain.MaxPwdAge

' Account for bug in IADslargeInteger property methods.
lngHighAge = objMaxPwdAge.HighPart
lngLowAge = objMaxPwdAge.LowPart
If (lngLowAge < 0) Then
    lngHighAge = lngHighAge + 1
End If
' Convert to days.
intMaxPwdAge = -((lngHighAge * 2^32) _
    + lngLowAge)/(600000000 * 1440)
========
We don't know how your code converts the Integer8 value into seconds. It
probably is flawed.

As an example, in my domain ADSI Edit reveals that maxPwdAge
is -37,108,517,437,440. My script reveals that HighPart returns -8640 and
LowPart returns 0, which works out to the same number of 100-nanosecond
intervals. This converts to 42.94967 days.

--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab -http://www.rlmueller.net
--
Click to expand...



Richard,

Sorry that I didn't clarify, but the thing is, they're seeing that
"15552000" value in MIIS (or ILM now, I guess), i.e., it is the "raw"
value that they're getting for maxPwdAge.

The thing that we can't figure out is why just that one AD is coming
back with that value, whereas the other two environments have the more
normal "large negative number".

The effect of that "15552000" value for the maxPwdAge is that it is
throwing off the calculations that the MIIS rule extensions are doing
when calculating what it thinks are the password expiration dates for
users.

Is it possible that the "format" for maxPwdAge is different between
Windows versions, i.e., Win2K Server, Win2K3 server, and Win2K3 R2,
etc.?

Jim
 
Richard,

Sorry that I didn't clarify, but the thing is, they're seeing that
"15552000" value in MIIS (or ILM now, I guess), i.e., it is the "raw"
value that they're getting for maxPwdAge.

The thing that we can't figure out is why just that one AD is coming
back with that value, whereas the other two environments have the more
normal "large negative number".

The effect of that "15552000" value for the maxPwdAge is that it is
throwing off the calculations that the MIIS rule extensions are doing
when calculating what it thinks are the password expiration dates for
users.

Is it possible that the "format" for maxPwdAge is different between
Windows versions, i.e., Win2K Server, Win2K3 server, and Win2K3 R2,
etc.?

Jim- Hide quoted text -

- Show quoted text -
Click to expand...



Hi,

I just ran across this thread (hope the link works):

http://www.microsoft.com/communitie...7f-8434-f9f6bab0d5d2&cat=&lang=&cr=&sloc=&p=1

where it says the output of an adfind should include:

maxPwdAge: -155520000000000

I wonder if our guy or MIIS is somehow dropping the minus ("-")?

Also, the thread doesn't state it explicitly, but that seems to be on
Win2K3?

Jim
 
Hi,

I just ran across this thread (hope the link works):

http://www.microsoft.com/communitie...7f-8434-f9f6bab0d5d2&cat=&lang=&cr=&sloc=&p=1

where it says the output of an adfind should include:

maxPwdAge: -155520000000000

I wonder if our guy or MIIS is somehow dropping the minus ("-")?

Also, the thread doesn't state it explicitly, but that seems to be on
Win2K3?

Jim
Click to expand...


Hi,

I got more info this morning. Apparently, on the system that they said
was showing the "15552000" for maxPwdAge, they had gotten that value by
using ldp, whereas on the other two environments, the large negative
values came from using MIIS/ILM.

So, maybe ldp itself is re-formatting the raw maxPwdAge value for display?

Jim
 
I got more info this morning. Apparently, on the system that they said
was showing the "15552000" for maxPwdAge, they had gotten that value by
using ldp, whereas on the other two environments, the large negative
values came from using MIIS/ILM.

So, maybe ldp itself is re-formatting the raw maxPwdAge value for display?

Jim
Click to expand...

When I use ldp to retrieve the maxPwdAge the value displayed is a negative
number. Could someone have ignored the leading "-"?
 
Richard said:
When I use ldp to retrieve the maxPwdAge the value displayed is a negative
number. Could someone have ignored the leading "-"?
Click to expand...


Richard,

I thought that I had this figured out (i.e., that ldp was displaying the
"converted" positive #) until I saw your post above :(...

I tried ldp on two different machines, and ldp shows positive numbers
for maxPwdAge in both cases, e.g., here's one:

Expanding base 'dc=itf,dc=XXX'...
Result <0>: (null)
Matched DNs:
Getting 1 entries:3> objectClass: top; domain; domainDNS;
1> distinguishedName: DC=itf,DC=XXX;
1> instanceType: 0x5 = ( DS_INSTANCETYPE_IS_NC_HEAD | IT_WRITE );
1> whenCreated: 01/29/2007 18:34:00 Eastern Standard Time Eastern
Daylight Time;
1> whenChanged: 01/29/2007 18:55:00 Eastern Standard Time Eastern
Daylight Time;
3> subRefs: DC=ForestDnsZones,DC=itf,DC=XXX;
DC=DomainDnsZones,DC=itf,DC=XXX; CN=Configuration,DC=itf,DC=XXX;
1> uSNCreated: 4098;
1> uSNChanged: 12513;
1> name: itf;
1> objectGUID: 29aff19a-41c2-407c-9abb-2e96ce41b888;
1> creationTime: 01/29/2007 18:54:05 Eastern Standard Time Eastern
Daylight Time;
1> forceLogoff: -9223372036854775808 (none);
1> lockoutDuration: 1800;
1> lockOutObservationWindow: 1800;
1> lockoutThreshold: 0;
1> maxPwdAge: 3710851;
1> minPwdAge: 86400;
1> minPwdLength: 7;
1> modifiedCountAtLastProm: 0;

On the other hand, ldifde shows the raw large negative numbers:

dn: DC=itf,DC=XXX
changetype: add
objectClass: top
objectClass: domain
objectClass: domainDNS
distinguishedName: DC=itf,DC=XXX
instanceType: 5
whenCreated: 20070129233400.0Z
whenChanged: 20070129235500.0Z
subRefs: DC=ForestDnsZones,DC=itf,DC=XXX
subRefs: DC=DomainDnsZones,DC=itf,DC=XXX
subRefs: CN=Configuration,DC=itf,DC=XXX
uSNCreated: 4098
uSNChanged: 12513
name: itf
objectGUID:: mvGvKcJBfECauy6WzkG4iA==
creationTime: 128145884454386704
forceLogoff: -9223372036854775808
lockoutDuration: -18000000000
lockOutObservationWindow: -18000000000
lockoutThreshold: 0
maxPwdAge: -37108517437440
minPwdAge: -864000000000
minPwdLength: 7

I guess that now I'm getting really confused :)!!

Jim
 
I was testing on a Windows 2000 Server with the version of ldp that comes
with the Support Tools for that OS. I got the correct negative value. I
repeated on a Windows 2003 Server and got the same result as you, the value
"3710851" when it should be "-37108517437440". I get the correct value if I
use ADSIEdit. I also get the correct value if I use a VBScript program. It
looks like a bug in ldp to me, at least the version that comes with W2k3. I
searched and found no other reports of this, but found a thread where
someone pasted the output from ldp and it had this same value.
 
Richard,

AHH! Ok, I also just ran ldp on a Win2K AD instance, and got the
negative number.

I guess it (displaying the positive #) is a "feature" in the Win2K3
ldp.exe :)??

Thanks for helping clear that up!

Jim
 
The correct value is displayed by ldp if you select "binary" in
Options/General/Value Parsing. The problem is with the custom parser used
for these attributes (maxPwdAge and minPwdAge). For example, a custom parser
converts the pwdLastSet attribute correctly to a date/time in the current
time zone. The parser for these two attributes appear to be handling them as
if they are 32-bit integers rather than 64-bit.
 
The value displayed by ldp on W2k3 servers is not in error, just not clear.
It is the max password age in seconds. ldp on W2k8 displays the value as a
duration in dd:hh:mm:ss format. ldp on W2k shows the value in 100-nanosecond
intervals.
 
Back
Top