Highlighted
Super Contributor.
Super Contributor.
234 views

set Password expiration date in AD

Hi,

I am writing a policy where I have to set password expiration time with respect to employeeType.

But the problem I am facing is i am unable to set password expiration time inside Active-Directory.

I did get the attribute name msDS-UserPasswordExpiryTimeComputed but unable to set values.

I did get the point in eDirec is value is iCTIME and AD has different time format.

Please help me out or any other policy you may have i.e resolving my problem

Labels (2)
Tags (1)
5 Replies
Highlighted
Outstanding Contributor.
Outstanding Contributor.

Hi!

As far as I know you cannot set pwdLastSet attribute in AD to anything else but zero (0).

Zero (0) means the user must change password at next logon. Other than that I don't think AD allows you to set any other value.

MsDS-UserPasswordExpiryTimeComputed seems to just be a virtual attribute that is actually pwdLastSet:

https://ldapwiki.com/wiki/MsDS-UserPasswordExpiryTimeComputed

Best regards

Marcus

Highlighted
Super Contributor.
Super Contributor.

I did get this article from Microsoft active driver which says
msDS-UserPasswordExpiryTimeComputed has user password expiry time.
https://docs.microsoft.com/en-us/windows/win32/adschema/a-msds-userpasswordexpirytimecomputed
Highlighted
Outstanding Contributor.
Outstanding Contributor.

Yes, you can read it and it contains when the password needs to be updated. But it is a read only attribute that calculates based on pwdLastSet (and other things such as applied (fine grained) password policy).

Also found this one:

https://ldapwiki.com/wiki/Pwd-Last-Set%20attribute

So you can set it to -1 and that sets pwdLastSet to current date/time according to the link above.

Best regards

Marcus

Highlighted
Honored Contributor.
Honored Contributor.

You cannot set the password expiration date in AD. You can expire it, but the password expiration date is calculated by adding the group policy setting (not stored in AD) of password expiration time to the pwdLastSet attribute, which is a system attribute only AD can modify.


Highlighted
Knowledge Partner
Knowledge Partner

Only the system can modify the pwdLastSet attribute to any value other than 0 or -1.

If you assign 0, the password is immediately expired. Then when the user changes their password the current date/time is assigned by the system to the pwdLastSet attribute.

The value -1 corresponds to the largest integer allowed in a 64-bit attribute, 2^63-1. This value does the reverse of 0. It makes the password not expired. When the user next logs on, the pwdLastSet attribute will be set by the system to the value corresponding to the current date/time.

Reference link:http://social.technet.microsoft.com/Forums/fi/winserverpowershell/thread/6622c897-c460-41ce-a237-a6eabff3ca12

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.