When Did A Password Expire?

Home Forums Microsoft Networking and Management Services Active Directory When Did A Password Expire?

Viewing 1 post (of 1 total)
  • Author
    Posts
  • Avatar
    Robert R.
    Participant
    #156280

    environment: Windows 2008 Active Directory

    empty root domain: x.tld
    user accounts in domain OFFICE.x.tld
    Windows and Linux servers in domain PROD.x.tld and in domain DEV.x.tld
    Active Directory is used to authenticate to Linux servers using winbind

    The users’ workstations are in a separate forest, y.ad.tld, that does not have a trust relationship with x.tld
    This is important, because policies for x.tld are not applied to their accounts in y.ad.tld

    I was getting repeated calls about passwords expiring.

    As a temporary measure, I set the password expiration policy in Group Policy for OFFICE.x.tld , until this problem can be resolved.

    Group Policy Management
    |-Forest: x.tld
    ..|-Domains
    …|-office.x.tld
    ….|-Default Domain Policy
    ….|-Password
    …..|-Computer Configuration
    ……|-Policies
    …….|-Windows Settings
    ……..|-Security Settings
    ………|-Account Policies/Password Policy
    ……….|-Policy
    ……….|-Maximum Password Age: 0 days
    ……….|-Minimum Password Age: 1 days

    However, I am still getting calls about passwords expiring.

    I suspect that a lot of these are users who simply forgot their passwords, because some of them haven’t logged in for weeks.

    I also suspect that this is primarily an issue with those users who SSH into the Linux servers, although I don’t have hard data to prove this.

    Questions:

    1. Should I apply the password policy at the Forest level rather than the Domain level, since users are using accounts in one domain to authenticate to resources in another domain?

    2. Is there a way to tell when a user’s password actually expired or will expire?

    Obviously, I can use Group Policy to see what the password expiration policy is supposed to be, and I can check when a password was last reset (the pwdLastSet attribute).

    It’s trivial to add the password expiration age in Group Policy to pwdLastSet to determine when a password should expire.

    But is there any attribute or record of when a password actually expires/expired, so I can definitively determine whether a user’s password is actually expired, or if the user simply forgot their password?

    Thanks.

    UPDATE: In Active Directory Users and Computers (ADUC) for OFFICE.x.tld , the maxPwdAge attribute is set to (never)

    Active Directory Users and Computers
    |- office.x.tld
    (right-click –> Properties –> Attribute Editor (tab))

Viewing 1 post (of 1 total)

You must be logged in to reply to this topic.