Get AD user password expire date?

[Bryan Yeo]

Trying to get the user password expire date from AD, but there is no such
field.
What I could get is the PasswordLastChanged property.

Is there anyway I could calculate the date or something?

Regards,
Bryan

 

[Arild Bakken]

The pwdLastSet property is a large integer holding the number of 100ns
intervals since 1601 or something - also known as a FILETIME value.

The DateTime class has a "FromFileTime()" method that will convert that into
a date. Watch out for UTC / local time differences.

In order to see when the password will expire you also need to read the
default domain policy to find out how often a user must change a password.

If you use the WinNT ADSI provider instead of the LDAP ADSI provider you
could get the "PasswordExpirationDate" property which will calculate the
date for you (never tested this though)


Arild

 

[Arild Bakken]

Btw... found this article which may help:


http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnclinic/html/scripting09102002.asp


Arild

 

[Bryan Yeo]

I have tried the microsoft and try to convert the codes to C#, this is
what I have:

IADsLargeInteger fds2 =
(IADsLargeInteger)searchentry2.Properties["maxPwdAge"].Value;
double ONE_HUNDRED_NANOSECOND = 10^-7; //.000000100;
int SECONDS_IN_DAY = 86400;
int fgd = (int)fds2.HighPart;
int fgd2 = (int)fds2.LowPart;
double dblMaxPwdNano = Math.Abs((int)fds2.HighPart * 2^32 +
(int)fds2.LowPart);
double dblMaxPwdSecs = (int)dblMaxPwdNano * .000000100;
double dblMaxPwdDays = (int)dblMaxPwdSecs / SECONDS_IN_DAY;

But there is something either wrong with the code or with the
calculation, I got a zero.
And which policy does the maxpwdage taken from? local security policy,
domain security policy or domain controller policy?

Regards
Bryan

 

[Willy Denoyette [MVP]]

Try this for domain policy enforced pwd. aging.

public static void Main() {
long maxAge;
// Get maxPwdAge from domain
using(DirectoryEntry domain = new
DirectoryEntry("LDAP://domain/DC=xxxx,DC=xxxx,DC=xxx", "xxx\\administrator",
"ppppp"))
{
LargeInteger liMaxAge =domain.Properties["MaxPwdAge"].Value as
LargeInteger;
maxAge = (((long)(liMaxAge.HighPart) << 32) + (long) liMaxAge.LowPart);
// SHOULD be a negative value !!!
}
// Get pwdlast set for user (here administrator)
DirectoryEntry user = new
DirectoryEntry("LDAP://domain/CN=administrator,cn=users,DC=celeb,DC=w2kdom,DC=com",
"xxx\\administrator", "xxxxx");
LargeInteger li = user.Properties["pwdLastSet"].Value as LargeInteger;
long expDate = (((long)(li.HighPart) << 32) + (long) li.LowPart) - maxAge;
// !!! maxAge is negative number!!!
LiToDate(expDate);
}
}
static void LiToDate(long date)
{
Console.WriteLine(date);
string dt = DateTime.FromFileTime(date).ToString(); // To file time
Console.WriteLine("DATE = {0}" ,dt); // show pwd expiry date
}
....

Willy.

 

[Bryan Yeo]

Thanks for the code, it's a great help.
Trying to figure out for days already.