useraccountcontrol not set when passwd expires

Discussion in 'Active Directory' started by kj, Aug 22, 2005.

  1. kj

    kj Guest

    Hi,
    We have an external application that uses LDAP to query
    "useraccountcontrol" values to determine the state of a users password.

    The problem we are seeing is that when a users password expires the
    "useraccountcontrol" varible does not get updated in AD to reflect this
    change

    So for normal account the value is 512 (decimal) and if passwd is expired it
    should be 8388608 but is stays at 512.

    http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144

    Checked MS web site but could not find anything there.

    Any help would be appreciated.

    Thanks in advance.

    --kp
     
    kj, Aug 22, 2005
    #1
    1. Advertisements

  2. AD uses the pwdLastSet to determine the password expiration, not that flag
    in userAccountControl. The technique the external application is using will
    not work.

    Password expiration is determined by comparing the date the password was
    last set (pwdLastSet) with the domain password max age policy (maxPwdAge)
    and the current time.

    Joe K.
     
    Joe Kaplan \(MVP - ADSI\), Aug 22, 2005
    #2
    1. Advertisements

  3. That is correct. The LDAP provider (or LDAP API) does not show the UAC updated
    for that or lockouts. You need to go to the proper attributes, either pwdLastSet
    or lockoutTime.
     
    Joe Richards [MVP], Aug 22, 2005
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.