No announcement yet.

When Did A Password Expire?

  • Filter
  • Time
  • Show
Clear All
new posts

  • When Did A Password Expire?

    environment: Windows 2008 Active Directory

    empty root domain: x.tld
    user accounts in domain OFFICE.x.tld
    Windows and Linux servers in domain PROD.x.tld and in domain DEV.x.tld
    Active Directory is used to authenticate to Linux servers using winbind

    The users' workstations are in a separate forest,, that does not have a trust relationship with x.tld
    This is important, because policies for x.tld are not applied to their accounts in

    I was getting repeated calls about passwords expiring.

    As a temporary measure, I set the password expiration policy in Group Policy for OFFICE.x.tld , until this problem can be resolved.

    Group Policy Management
    |-Forest: x.tld
    ....|-Default Domain Policy
    .....|-Computer Configuration
    .......|-Windows Settings
    ........|-Security Settings
    .........|-Account Policies/Password Policy
    ..........|-Maximum Password Age: 0 days
    ..........|-Minimum Password Age: 1 days

    However, I am still getting calls about passwords expiring.

    I suspect that a lot of these are users who simply forgot their passwords, because some of them haven't logged in for weeks.

    I also suspect that this is primarily an issue with those users who SSH into the Linux servers, although I don't have hard data to prove this.


    1. Should I apply the password policy at the Forest level rather than the Domain level, since users are using accounts in one domain to authenticate to resources in another domain?

    2. Is there a way to tell when a user's password actually expired or will expire?

    Obviously, I can use Group Policy to see what the password expiration policy is supposed to be, and I can check when a password was last reset (the pwdLastSet attribute).

    It's trivial to add the password expiration age in Group Policy to pwdLastSet to determine when a password should expire.

    But is there any attribute or record of when a password actually expires/expired, so I can definitively determine whether a user's password is actually expired, or if the user simply forgot their password?


    UPDATE: In Active Directory Users and Computers (ADUC) for OFFICE.x.tld , the maxPwdAge attribute is set to (never)

    Active Directory Users and Computers
    |- office.x.tld
    (right-click --> Properties --> Attribute Editor (tab))
    Last edited by Robert R.; 21st September 2011, 23:38.

  • #2
    Re: When Did A Password Expire?

    Password policies ONLY apply at Local or Domain level
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    IT Trainer / Consultant
    Ossian Ltd

    ** Remember to give credit where credit is due and leave reputation points where appropriate **


    • #3
      Re: When Did A Password Expire?

      Under server 2003 you used acctinfo2.dll which created a new Additonal Account Info tab in the User Properties dialog under ADUC. It tells you when the password is due to expire among other things.

      I'm not sure if it will work for 2008. But, in case your 2008 is 64bit, try this instead:

      But - it is not supported...
      A recent poll suggests that 6 out of 7 dwarfs are not happy


      • #4
        Re: When Did A Password Expire?

        From the link provided by Blood above, I found this:

        You probably don't need ACCTINFO2.DLL

        Rate This

        NedPyle [MSFT]
        12 Apr 2011 10:54 AM

        Hi folks, Ned here again. Customers periodically ask us for a rumored replacement for the Windows 2000 acctinfo.dllthat works on 64-bit Windows 7 and Windows Server 2008 R2. That old DLL added an extra tab to the Active Directory Users and Computers snap-in to centralize some user account info:
        Ned brings up a good argument against using acctinfo2.dll :

        You will find a great many copies of acctinfo2.dll floating around, but none hosted on Microsoft websites (we never released it publically, it was just a side-project for a Support engineer here in Charlotte). Before you install those, consider this: you plan to load a DLL from some random place on the Internet into one of your most powerful AD admin tools, and then run that tool as a Domain Admin. And you have no way to know if that's some leaked MS version of the file or one adulterated by hackers.
        and recommends using Active Directory Administrative Center , "another new component introduced by Windows Server 2008 R2."

        But as one of Ned's readers points out, ADAC does not show when a password is set to expired or has expired. This concern has been considered and dismissed as not important.

        You can see Password Last Set easily if you just turn on the attribute editor -it will display PwdLastSet in human-reable plain text and show date, time, and time zone.
        But Password Expires will require mental gynamstics. "She set her password on the April 25th 2011 and we have a 42 day max password age so it will require change on Sunday June 6."
        My main question would be: why do I care? The user will be warned in advance at every logon once their password is close to expiration and when it expires, they will have a very clear message (for them or their help desk) explaining why they cannot logon and that they are required to change their password.
        Are you mainly looking for feature parity or do you have a business process that makes this useful? If the latter I'd like to hear about it so I can get DSAC improved.
        Some of us care for troubleshooting purposes, when we suspect that the policies are not being applied correctly. And users who use Active Directory credentials to SSH into Linux hosts do not get a warning message that their password is going to expire soon. Oh well.

        Note: I haven't used the Active Directory Administrative Center yet. ADAC requires the Active Directory Web Services service to be running, which for some reason won't start on my Windows 2008 R2 domain controller.
        Windows could not start the Active Directory Web Services service on Local Computer.
        Error 1067: The process terminated unexpectedly.
        ...another problem to solve.


        • #5
          Re: When Did A Password Expire?

          The argument against using it is valid - but it's the usual advice/common sense - you can say this about any file you download from the Internet - and considering the number of legitmate websites that have been found to be hosting malware/compromised files without being aware if it... As ever it is up to the person using it to research this as thoroughly as possible.

          But, if it really did mess up people's AD environments I'm sure there would be a lot more information about this happening especially as it has been used since W2k3. I'm happy to report that I have never noticed any problems using this (on W2k3) and I have been using it for many years.

          But, I have not used it in W2k8 because I still have a W2k3 server on the network. That's why I mentioned that use of it in W2k8 was unsupported, implying that you, or anyone reading this, should test it first.
          A recent poll suggests that 6 out of 7 dwarfs are not happy