It’s common to want to retrieve password expiration dates for users by querying Active Directory directly. Conversely, you might want to obtain a list of all users whose passwords will expire soon. Of course, you cannot use Active Directory Users & Computers to view the password expiration value and tools like ADSI Edit can only display data that is in AD. Since the password expiration date for a user is calculated and not stored directly in AD, you have to take a different approach to make this work.
Active Directory calculates password expiration by reading the date when a user’s password was last changed (using the pwdLastSet attribute) and then reading the password policy (for the domain or AD container, depending on your AD functional level) for the account to determine the maximum password age. These two values are added to determine the password expiration value.
password change date + password policy maximum password age = password expiration date
Sounds easy enough, eh? The calculation is easy. What’s not easy is getting the values for the password change date (pwdLastSet) and the policy maximum password age (maxPwdAge). These values are stored internally in AD as LargeInteger, an 8-byte integer value. Your calculation needs to convert these internal data types for comparison to human-readable dates. Fortunately, there are easy conversion methods for converting these data types and the code samples at the end of this article show you these methods.
Web Active Directory provides PeopleMinder, a simple-to-deply solution to send notifications to users with expiring passwords, and this solution uses the password expiration calculation at its core to search for these users. You should check out PeopleMinder if you want a robust method to send out password expiration reminders on a daily basis.
Check out the code samples linked below for more information about calculating the AD password expiration date. You can then use these calculations to search for users whose passwords will expire soon. If you are a .NET developer, the Directory Programming .NET site at http://directoryprogramming.net/ is a fantastic resource for writing this type of password expiration date code. In fact, the site is a fantastic resource for all types of AD management code.
- How to obtain password expiration date by using LDAP ADSI provider: http://support.microsoft.com/kb/323750
- How Long Until My Password Expires?: http://msdn.microsoft.com/en-us/library/ms974598.aspx
- List When a Password Expires: http://www.cruto.com/resources/vbscript/vbscript-examples/ad/users/pwds/List-When-a-Password-Expires.asp
- PowerShell Script – Active Directory Password Expiration Report: http://www.lucidsolutionsgroup.com/activedirectory/57-password-expiration-report.html
- Find out when your Password Expires: http://blogs.msdn.com/b/adpowershell/archive/2010/02/26/find-out-when-your-password-expires.aspx
- Chapter 10 of The .NET Developers Guide to Directory Services Programming (view pages 360-370): http://ptgmedia.pearsoncmg.com/images/0321350170/samplechapter/Kaplan_ch10.pdf