Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

AD user password expiration date - code (script) component

Created: 11 Jan 2013 • Updated: 13 Jan 2013 | 5 comments
This issue has been solved. See solution.

Hello All -

Does anyone have code I can use in the 'code (script) component' to find the time/date of a user account's password?

In other words, given a user account, I'd like the script to run and return the time/date of it's password expiration.

Thanks in advance for any/all help.


Comments 5 CommentsJump to latest comment

reecardo's picture

Should be doable. You'd basically run an LDAP query against your AD and pull it from there or something similar.

These pages could give you a good start:

NOTE: One thing to mention about the Code/Script component is because there's no place to drop in "using clauses" in the editor, it's a good practice to preface external types with their namespace name. For example...

DirectoryEntry entry = new DirectoryEntry(blah);

would become

System.DirectoryServices.DirectoryEntry entry = new System.DirectoryServices.DirectoryEntry(blah);

TomS's picture

Thanks reecardo -

It looks like the links you sent are C# scripts.  With the recommendation you provided is it as easy as copying and pasting what they've provided into the component?

I'll give it a try and just re-post if I encounter errors.

I appreciate your help/feedback.  Thanks, Tom

reecardo's picture

Nah, you can't just copy and paste the script. You have to do a bit of "designing" here.

First off, ignore my previous comment re: using clauses not being allowed... I was thinking of the Script generator. The Code/Script component should allow the specification of using clauses. Instructions below should apply to both Code/Script comp and Script generator aparat from differences I point out.

1. First, to make the component "interesting", I'd make the component take in at least one text parameter - the name of the (wo)man whose PW exp. date you're interested in. You could add additional parameters to specify the other vars used to build the LDAP query, but I'd start with one parameter and eventually build up to more parameters - it's just easier that way.

2. The output would be a non-array datetime.

3. This comp lets you choose which language you want to script in... C#, VB.NET or JScript. The examples I cited were C#. Script generator doesn't let you pick this - it's always C# in the script gen.

4. For the using clauses, I'd add them one by one, making sure to get the casing correct. C# is a case sensitive language. You can't do this in the script generator... have to get around it in the code with trick I mentioned above.

5. Finally, I'd drop in the script (the contents of the Main() function in the first link I posted earlier). You have to adjust the LDAP building portion of the code to incorporate the name input you specified earlier. You also need to account for YOUR AD here, and not the one specified in the linked code. We basically just want to return a date, so you'll have to fix the code a bit to do a

return blah;

vs. a


It helps to have a bit of C# experience to use this component (Script generator as well). If you have Visual Studio or some other IDE available, it REALLY REALLY helps to build out a small project that emulates what you want to do locally, THEN copy and paste into the Code/Script comp or Script gen. Otherwise, re-running this editor, and re-debugging your flow becomes your IDE - and that will get maddening very quickly to try and get this to work.

Hope this helps.

rscovel's picture


You might look into using JoeWare's OLDCMP utility.

 It has a flag to change from examining a computer object to a user object.

It has an age query componenet. Maybe that will do it.


Russ Scovel
Inside Systems Engineer

Altiris SOS – Endpoint Management and Mobility
Symantec Corporation

TomS's picture

Hi reecardo & rscovel --

Following is the code I actually pasted into the code (script) component to get this to work.

Thanks both for your help on this!  Tom



            System.DirectoryServices.DirectorySearcher searcher;
            using (searcher = new System.DirectoryServices.DirectorySearcher())
                searcher.SearchRoot =
                    new System.DirectoryServices.DirectoryEntry(
                        "LDAP://" + (string)new System.DirectoryServices.DirectoryEntry("LDAP://rootDSE")
                searcher.SearchScope = System.DirectoryServices.SearchScope.Subtree;
                searcher.Filter = string.Format("(&(objectCategory=person)(objectClass=user)(sAMAccountName={0}))",
                System.DirectoryServices.SearchResultCollection results = searcher.FindAll();

                foreach (System.DirectoryServices.SearchResult result in results)
                    long lastChangedTicks;
                    System.DirectoryServices.ResultPropertyValueCollection pwdLastSetProp;
                    pwdLastSetProp = result.Properties["pwdLastSet"];

                    if ((pwdLastSetProp != null) &&
                        (pwdLastSetProp.Count > 0) &&
                        long.TryParse(pwdLastSetProp[0].ToString(), out lastChangedTicks))
                        return System.DateTime.FromFileTime(lastChangedTicks).ToString("MM/dd/yyyy");
                return string.Empty;