ASP.NET

how to get password expiration date for a user in Active directory RSS

9 replies

Last post Jan 25, 2010 03:46 PM by jaaronandersoncom

‹ Previous Thread|Next Thread ›

- Reply
nizdon

Member

117 Points

24 Posts

how to get password expiration date for a user in Active directory

Mar 19, 2006 08:12 AM|LINK

Hi,

i want to display the passwod expiration date for a user in Active directory

i am not able to get the maxPwdAge property for any user.

code:

DirectoryEntry de1 = new DirectoryEntry("LDAP://RootDSE");
        string domain = de1.Properties["defaultNamingContext"][0].ToString();

        DirectoryEntry entryDomain = new DirectoryEntry("LDAP://" + domain );
        entryDomain.AuthenticationType=AuthenticationTypes.Delegation;
        entryDomain.Username="Administrator";
        entryDomain.Password="adminpassword";
           DirectorySearcher mysearch=new DirectorySearcher(entryDomain);

     mysearch.Filter = "(&(ObjectClass=person)(sAMAccountName=myuser))";
        SearchResult search=mysearch.FindOne();
       DirectoryEntry de4=search.GetDirectoryEntry();
     Console.writeline( de4.Properties["maxpwdage:].ToString());

Thanks

Nizdon
- Moved by StrongTypes on Mar 19, 2006 08:29 AM
- Reply
dunnry

Star

9098 Points

1806 Posts

Re: how to get password expiration date for a user in Active directory

Mar 20, 2006 06:14 PM|LINK
This particular attribute is in LargeInteger format. The easiest way to deal with it is to use DirectorySearcher marshalling behavior. Do not use GetDirectoryEntry if you are only reading data - the SearchResult contains everything you need, and in this case, is a much better choice.

long ticks = (long)result.Properties["maxPwdAge"][0];
Console.WriteLine(DateTime.FromFileTime(ticks));

Ryan Dunn
Weblog
The Book
LDAP Programming Help
- Reply
avsln

Member

87 Points

28 Posts

Re: how to get password expiration date for a user in Active directory

Apr 07, 2006 08:29 PM|LINK

When i use the above i am getting an error. The error is as below:

Test method Tester.UnitTest1.Expire threw exception: System.ArgumentOutOfRangeException: Index was out of range. Must be non-negative and less than the size of the collection.

The code i am using is given below with the highlighted line throwing the error in question

DirectoryEntry userEntry = Domain.GetCurrentDomainDirectoryEntry();

DirectorySearcher userSearcher = new DirectorySearcher();

userSearcher.SearchRoot = userEntry;

userSearcher.Filter = "(&(objectClass=user) (cn=" + UserName + "))";

SearchResult result = userSearcher.FindOne();

long passwordExpiryDate;

if (string.IsNullOrEmpty(result.Properties["maxPwdAge"][0].ToString())) <---- This is the line throwing the error

{

passwordExpiryDate = 0;

}

else

{

passwordExpiryDate = (long)result.Properties["maxPwdAge"][0];

}
- Reply
dunnry

Star

9098 Points

1806 Posts

Re: how to get password expiration date for a user in Active directory

Apr 07, 2006 10:10 PM|LINK
The 'maxPwdAge' attribute is held on the domainDNS class (the root of the directory) as it is part of policy. It is not held on the user object. If you are using .NET 2.0, you can get this easily:

using (DirectoryEntry domain = Domain.GetCurrentDomain())
{
    DirectorySearcher ds = new DirectorySearcher(
        domain,
        "(objectClass=*)",
        null,
        SearchScope.Base
        );

        SearchResult sr = ds.FindOne();

        TimeSpan maxPwdAge = TimeSpan.MinValue;

        if (sr.Properties.Contains("maxPwdAge"))
          maxPwdAge = TimeSpan.FromTicks((long)sr.Properties["maxPwdAge"][0]);
}

Ryan Dunn
Weblog
The Book
LDAP Programming Help
- Reply
dunnry

Star

9098 Points

1806 Posts

Re: how to get password expiration date for a user in Active directory

Apr 09, 2006 06:24 PM|LINK
I should also mention that the TimeSpan values that you get as part of domain policy are all negative. You must account for that if you use them later in calculations.

Ryan Dunn
Weblog
The Book
LDAP Programming Help
- Reply
myourshaw

Member

75 Points

15 Posts

Re: how to get password expiration date for a user in Active directory

Jun 02, 2006 08:03 PM|LINK

This is very helpful. Thanks.

I did have one issue, but the fix (below) is no biggie. I also added the Duration method to get rid of the minus sign. Great book, BTW.

public static TimeSpan GetMaxPasswordAge()
{
using (Domain d = Domain.GetCurrentDomain())
using (DirectoryEntry domain = d.GetDirectoryEntry())
{
    DirectorySearcher ds = new DirectorySearcher(
      domain,
      "(objectClass=*)",
      null,
      SearchScope.Base
      );
    SearchResult sr = ds.FindOne();
    TimeSpan maxPwdAge = TimeSpan.MinValue;
    if (sr.Properties.Contains("maxPwdAge"))
    maxPwdAge = TimeSpan.FromTicks((long)sr.Properties["maxPwdAge"][0]);
    return maxPwdAge.Duration();
}
}
- Reply
dunnry

Star

9098 Points

1806 Posts

Re: how to get password expiration date for a user in Active directory

Jun 02, 2006 11:45 PM|LINK
Ahh, yes forgot about the GetDirectoryEntry()... that is what I get when I don't test things and just type code here. Thanks for updating it!

Ryan Dunn
Weblog
The Book
LDAP Programming Help
- Reply
TaffyLewis

Member

195 Points

90 Posts

Re: how to get password expiration date for a user in Active directory

Aug 11, 2008 06:50 PM|LINK

What are you suppose to do with the maxPwdAge.Duration()

?>???

Alway take some time for fun!
- Reply
JAaronAnders...

Member

4 Points

2 Posts

Re: how to get password expiration date for a user in Active directory

Jan 25, 2010 03:45 PM|LINK

if I wanted to append the expiration to 6 months out would I add or subtract 15552000000000000 nanoseconds ?

I guess Id simply overwrite the value with -15552000000000000 nanoseconds correct ?

thanks for the clarification.
- Reply
JAaronAnders...

Member

4 Points

2 Posts

Re: how to get password expiration date for a user in Active directory

Jan 25, 2010 03:46 PM|LINK

can you modify the maxPwdAge attribute for an independent cn ? or is this attribute coupled to the DNSClass somehow and is restricuted to group/organization unity policies ? ...
- Edited by jaaronandersoncom on Jan 25, 2010 03:49 PM