Video Screencast Help
Scheduled Maintenance: Symantec Connect is scheduled to be down Saturday, April 19 from 10am to 2pm Pacific Standard Time (GMT: 5pm to 9pm) for server migration and upgrade.
Please accept our apologies in advance for any inconvenience this might cause.

how to get Password expiration date in worklfow for a AD user.

Created: 10 Jun 2013 | 2 comments

hi everyone,

 

I am trying to get AD user password expiration Days in worklfow is there a way to do this, i tried the Script but the script i am using needs to import a reference library and i am not able to do that.

is there any other waty to retrive it.

 

script i used

it uses ActiveDs got Largeinteger.

DirectoryEntry entry =  new DirectoryEntry("LDAP://whqs45/DC=***,DC=***");
            string filter = "(&(objectClass=user)(objectCategory=person)(sAMAccountName="+userID+"))";
            DirectorySearcher search = new DirectorySearcher(entry, filter);
            search.SearchScope = SearchScope.Subtree;
            SearchResult result = search.FindOne();
            entry = result.GetDirectoryEntry();

            // Pulling the informtion on when the password was last changed and converting it to a LargeInteger.
            LargeInteger liAcctPwdChange = entry.Properties["pwdLastSet"].Value as LargeInteger;

            // Convert the highorder/loworder parts of the property pulled to a long.
            long dateAcctPwdChange = (((long)(liAcctPwdChange.HighPart) << 32) + (long)liAcctPwdChange.LowPart);

            // Convert FileTime to DateTime and get what today's date is.
            DateTime dtNow = DateTime.Now;
            // I added 90 days because I know what my password expiration is set to, if not you need to pull that information and add the number of days it is set for.
            DateTime dtAcctPwdChange = DateTime.FromFileTime(dateAcctPwdChange).AddDays(90);
            string strAcctPwdChange = DateTime.FromFileTime(dateAcctPwdChange).ToShortDateString();
            string strAcctPwdExpires = DateTime.FromFileTime(dateAcctPwdChange).AddDays(90).ToShortDateString();

            // Calculate the difference between the date the pasword was changed, and what day it is now and display the # of days.
            TimeSpan time;
            time = dtAcctPwdChange - dtNow;
            string changedp= strAcctPwdChange;
            string expirep = strAcctPwdExpires;
            string daysp = time.Days.ToString() + " day(s)";

Operating Systems:

Comments 2 CommentsJump to latest comment

reecardo's picture

There are a few examples out on the internet that don't depend on importing windows DLLs... there's a sample here:

http://stackoverflow.com/questions/3764327/active-...

As far as objects that reside in .NET DLLs, you can't explicitly specify using clauses with the Script Generator, though you can in the Code/Script component. But you can still technically get around this in the C# by prefacing the appropriate objects with the namespace (just like all c# basically).

So in the example above, this -

using System.DirectoryServices;

DirectoryEntry = new DirectoryEntry(...);

would become this:

System.DirectoryServices.DirectoryEntry = new System.DirectoryServices.DirectoryEntry(...);

Rob Moore's picture

Another other way to do this is to link AD to a SQL server. You can then query AD for the pwdLastSet. This value is stored as a large integer that represents the number of 100 nanosecond intervals since January 1, 1601 (UTC) (which is not very helpful - but it's easy to convert).

So I query AD and then run the pwdLastset through a Scalar funtion to resolve the large integer into a date (code below). If you have a poilicy which requires your users to change their passwords every 90 days, you can run a stored procedure against the user account to get the number of days left to password reset. 

This has worked in our environment for the last 5 years, and it's proved to be extremely accurate.

The SP below will get all user's whose password will expire in X days (you tell it how long). This can easily be modified to look at a specific user insted of all users.

 

rob

----------------------- StoredProcedure to get all users with expire password in X days -----------------

USE [Your_Database_Name]
GO
SET ANSI_NULLS ON
GO
SET QUOTED_IDENTIFIER ON
GO

CREATE PROCEDURE [dbo].[sp_GetPasswordExpireXDays]
@days int
AS

SELECT
samAccountName
,datediff(dd,getdate()-90,dbo.utc2date(pwdLastSet)) AS 'PWD Expires in:'
,dbo.utc2date(pwdLastSet) as 'Passwd Set:'
,sn
,givenName
,mail
,DistinguishedName
,UserAccountControl

FROM
OpenQuery(ADSI_GAL,'
SELECT
sAMAccountName
,pwdLastSet
,sn
,givenName
,mail
,DistinguishedName
,UserAccountControl

FROM ''LDAP://<DomainControllerFQDN>/DC=<Your>,DC=<AD Domain>,DC=<HERE>''
where objectCategory = ''Person'' AND objectClass = ''User'' ')

where UserAccountControl in (512, 534, 1049088, 590336)
and mail is not null
AND datediff(dd,getdate()-90,dbo.utc2date(pwdLastSet)) = @days

 

 

---------------------  UTC2date Scalar Function  -------------------------

SET ANSI_NULLS ON
GO
SET QUOTED_IDENTIFIER ON
GO
CREATE FUNCTION [dbo].[UTC2date] (@numSeconds BIGINT)
RETURNS DATETIME
AS BEGIN
DECLARE @date AS DATETIME
SET @numSeconds = @numSeconds / 10000000 - 11644473600

IF @numSeconds < 0
OR @numSeconds > 2147483647
BEGIN
SET @numSeconds = 0
END

RETURN DATEADD(ss, @numSeconds, '01-01-1970 00:00:00')
END