Workflow Soluiton

 View Only

  • 1.  how to get Password expiration date in worklfow for a AD user.

    Posted Jun 10, 2013 04:34 PM

    hi everyone,

     

    I am trying to get AD user password expiration Days in worklfow is there a way to do this, i tried the Script but the script i am using needs to import a reference library and i am not able to do that.

    is there any other waty to retrive it.

     

    script i used

    it uses ActiveDs got Largeinteger.

    DirectoryEntry entry =  new DirectoryEntry("LDAP://whqs45/DC=***,DC=***");
                string filter = "(&(objectClass=user)(objectCategory=person)(sAMAccountName="+userID+"))";
                DirectorySearcher search = new DirectorySearcher(entry, filter);
                search.SearchScope = SearchScope.Subtree;
                SearchResult result = search.FindOne();
                entry = result.GetDirectoryEntry();

                // Pulling the informtion on when the password was last changed and converting it to a LargeInteger.
                LargeInteger liAcctPwdChange = entry.Properties["pwdLastSet"].Value as LargeInteger;

                // Convert the highorder/loworder parts of the property pulled to a long.
                long dateAcctPwdChange = (((long)(liAcctPwdChange.HighPart) << 32) + (long)liAcctPwdChange.LowPart);

                // Convert FileTime to DateTime and get what today's date is.
                DateTime dtNow = DateTime.Now;
                // I added 90 days because I know what my password expiration is set to, if not you need to pull that information and add the number of days it is set for.
                DateTime dtAcctPwdChange = DateTime.FromFileTime(dateAcctPwdChange).AddDays(90);
                string strAcctPwdChange = DateTime.FromFileTime(dateAcctPwdChange).ToShortDateString();
                string strAcctPwdExpires = DateTime.FromFileTime(dateAcctPwdChange).AddDays(90).ToShortDateString();

                // Calculate the difference between the date the pasword was changed, and what day it is now and display the # of days.
                TimeSpan time;
                time = dtAcctPwdChange - dtNow;
                string changedp= strAcctPwdChange;
                string expirep = strAcctPwdExpires;
                string daysp = time.Days.ToString() + " day(s)";



  • 2.  RE: how to get Password expiration date in worklfow for a AD user.

    Posted Jun 11, 2013 07:22 AM

    There are a few examples out on the internet that don't depend on importing windows DLLs... there's a sample here:

    http://stackoverflow.com/questions/3764327/active-directory-user-password-expiration-date-net-ou-group-policy

    As far as objects that reside in .NET DLLs, you can't explicitly specify using clauses with the Script Generator, though you can in the Code/Script component. But you can still technically get around this in the C# by prefacing the appropriate objects with the namespace (just like all c# basically).

    So in the example above, this -

    using System.DirectoryServices;

    DirectoryEntry = new DirectoryEntry(...);

    would become this:

    System.DirectoryServices.DirectoryEntry = new System.DirectoryServices.DirectoryEntry(...);



  • 3.  RE: how to get Password expiration date in worklfow for a AD user.

    Posted Jun 11, 2013 09:59 AM

    Another other way to do this is to link AD to a SQL server. You can then query AD for the pwdLastSet. This value is stored as a large integer that represents the number of 100 nanosecond intervals since January 1, 1601 (UTC) (which is not very helpful - but it's easy to convert).

    So I query AD and then run the pwdLastset through a Scalar funtion to resolve the large integer into a date (code below). If you have a poilicy which requires your users to change their passwords every 90 days, you can run a stored procedure against the user account to get the number of days left to password reset. 

    This has worked in our environment for the last 5 years, and it's proved to be extremely accurate.

    The SP below will get all user's whose password will expire in X days (you tell it how long). This can easily be modified to look at a specific user insted of all users.

     

    rob

    ----------------------- StoredProcedure to get all users with expire password in X days -----------------

    USE [Your_Database_Name]
    GO
    SET ANSI_NULLS ON
    GO
    SET QUOTED_IDENTIFIER ON
    GO

    CREATE PROCEDURE [dbo].[sp_GetPasswordExpireXDays]
    @days int
    AS

    SELECT
    samAccountName
    ,datediff(dd,getdate()-90,dbo.utc2date(pwdLastSet)) AS 'PWD Expires in:'
    ,dbo.utc2date(pwdLastSet) as 'Passwd Set:'
    ,sn
    ,givenName
    ,mail
    ,DistinguishedName
    ,UserAccountControl

    FROM
    OpenQuery(ADSI_GAL,'
    SELECT
    sAMAccountName
    ,pwdLastSet
    ,sn
    ,givenName
    ,mail
    ,DistinguishedName
    ,UserAccountControl

    FROM ''LDAP://<DomainControllerFQDN>/DC=<Your>,DC=<AD Domain>,DC=<HERE>''
    where objectCategory = ''Person'' AND objectClass = ''User'' ')

    where UserAccountControl in (512, 534, 1049088, 590336)
    and mail is not null
    AND datediff(dd,getdate()-90,dbo.utc2date(pwdLastSet)) = @days

     

     

    ---------------------  UTC2date Scalar Function  -------------------------

    SET ANSI_NULLS ON
    GO
    SET QUOTED_IDENTIFIER ON
    GO
    CREATE FUNCTION [dbo].[UTC2date] (@numSeconds BIGINT)
    RETURNS DATETIME
    AS BEGIN
    DECLARE @date AS DATETIME
    SET @numSeconds = @numSeconds / 10000000 - 11644473600

    IF @numSeconds < 0
    OR @numSeconds > 2147483647
    BEGIN
    SET @numSeconds = 0
    END

    RETURN DATEADD(ss, @numSeconds, '01-01-1970 00:00:00')
    END