Video Screencast Help
Give us your opinion and win with Symantec! Please help us by taking this survey to tell us about your experience with Symantec Connect, so that we can continue to grow and improve.  Take the survey.

how to get Password expiration date in worklfow for a AD user.

Created: 10 Jun 2013 | 2 comments

hi everyone,

I am trying to get AD user password expiration Days in worklfow is there a way to do this, i tried the Script but the script i am using needs to import a reference library and i am not able to do that.

is there any other waty to retrive it.

script i used

it uses ActiveDs got Largeinteger.

DirectoryEntry entry =  new DirectoryEntry("LDAP://whqs45/DC=***,DC=***");
            string filter = "(&(objectClass=user)(objectCategory=person)(sAMAccountName="+userID+"))";
            DirectorySearcher search = new DirectorySearcher(entry, filter);
            search.SearchScope = SearchScope.Subtree;
            SearchResult result = search.FindOne();
            entry = result.GetDirectoryEntry();

            // Pulling the informtion on when the password was last changed and converting it to a LargeInteger.
            LargeInteger liAcctPwdChange = entry.Properties["pwdLastSet"].Value as LargeInteger;

            // Convert the highorder/loworder parts of the property pulled to a long.
            long dateAcctPwdChange = (((long)(liAcctPwdChange.HighPart) << 32) + (long)liAcctPwdChange.LowPart);

            // Convert FileTime to DateTime and get what today's date is.
            DateTime dtNow = DateTime.Now;
            // I added 90 days because I know what my password expiration is set to, if not you need to pull that information and add the number of days it is set for.
            DateTime dtAcctPwdChange = DateTime.FromFileTime(dateAcctPwdChange).AddDays(90);
            string strAcctPwdChange = DateTime.FromFileTime(dateAcctPwdChange).ToShortDateString();
            string strAcctPwdExpires = DateTime.FromFileTime(dateAcctPwdChange).AddDays(90).ToShortDateString();

            // Calculate the difference between the date the pasword was changed, and what day it is now and display the # of days.
            TimeSpan time;
            time = dtAcctPwdChange - dtNow;
            string changedp= strAcctPwdChange;
            string expirep = strAcctPwdExpires;
            string daysp = time.Days.ToString() + " day(s)";

Operating Systems:

Comments 2 CommentsJump to latest comment

reecardo's picture

There are a few examples out on the internet that don't depend on importing windows DLLs... there's a sample here:

http://stackoverflow.com/questions/3764327/active-...

As far as objects that reside in .NET DLLs, you can't explicitly specify using clauses with the Script Generator, though you can in the Code/Script component. But you can still technically get around this in the C# by prefacing the appropriate objects with the namespace (just like all c# basically).

So in the example above, this -

using System.DirectoryServices;

DirectoryEntry = new DirectoryEntry(...);

would become this:

System.DirectoryServices.DirectoryEntry = new System.DirectoryServices.DirectoryEntry(...);

Rob Moore's picture

Another other way to do this is to link AD to a SQL server. You can then query AD for the pwdLastSet. This value is stored as a large integer that represents the number of 100 nanosecond intervals since January 1, 1601 (UTC) (which is not very helpful - but it's easy to convert).

So I query AD and then run the pwdLastset through a Scalar funtion to resolve the large integer into a date (code below). If you have a poilicy which requires your users to change their passwords every 90 days, you can run a stored procedure against the user account to get the number of days left to password reset. 

This has worked in our environment for the last 5 years, and it's proved to be extremely accurate.

The SP below will get all user's whose password will expire in X days (you tell it how long). This can easily be modified to look at a specific user insted of all users.

rob

----------------------- StoredProcedure to get all users with expire password in X days -----------------

USE [Your_Database_Name]
GO
SET ANSI_NULLS ON
GO
SET QUOTED_IDENTIFIER ON
GO

CREATE PROCEDURE [dbo].[sp_GetPasswordExpireXDays]
@days int
AS

SELECT
samAccountName
,datediff(dd,getdate()-90,dbo.utc2date(pwdLastSet)) AS 'PWD Expires in:'
,dbo.utc2date(pwdLastSet) as 'Passwd Set:'
,sn
,givenName
,mail
,DistinguishedName
,UserAccountControl

FROM
OpenQuery(ADSI_GAL,'
SELECT
sAMAccountName
,pwdLastSet
,sn
,givenName
,mail
,DistinguishedName
,UserAccountControl

FROM ''LDAP://<DomainControllerFQDN>/DC=<Your>,DC=<AD Domain>,DC=<HERE>''
where objectCategory = ''Person'' AND objectClass = ''User'' ')

where UserAccountControl in (512, 534, 1049088, 590336)
and mail is not null
AND datediff(dd,getdate()-90,dbo.utc2date(pwdLastSet)) = @days

---------------------  UTC2date Scalar Function  -------------------------

SET ANSI_NULLS ON
GO
SET QUOTED_IDENTIFIER ON
GO
CREATE FUNCTION [dbo].[UTC2date] (@numSeconds BIGINT)
RETURNS DATETIME
AS BEGIN
DECLARE @date AS DATETIME
SET @numSeconds = @numSeconds / 10000000 - 11644473600

IF @numSeconds < 0
OR @numSeconds > 2147483647
BEGIN
SET @numSeconds = 0
END

RETURN DATEADD(ss, @numSeconds, '01-01-1970 00:00:00')
END