tags:

views:

274

answers:

2
+1  Q: 

.NET Active Directory Password Expiration on Windows 2008

Searched SO and Everywhere else, including the .net developers guide to directory services programming book - no luck.

I am trying to create a simple password reset web page that allows the user to change their password. The change password portion of the code is working fine. For the users I would also like to display when their current password will expire next.

Using the sample code from the book mentioned above I was able to get all of the code setup however, the attribute that is returned is always equal to Long.MinValue and hence cannot be inverted to a positive number, plus this means it did not find the proper domain setting.

Does anyone have sample code or references for getting the password expiration in a Windows 2008 or R2 domain environment where password policies can be different for each user?

Updated to include code

Constructor that gets the policy object:

public PasswordExpires()
    {
        //Get Password Expiration
        Domain domain = Domain.GetCurrentDomain();
        DirectoryEntry root = domain.GetDirectoryEntry();

        using (domain)
        using (root)
        {
            this.policy = new DomainPolicy(root);
        }
    }

Domain Policy Constructor:

public DomainPolicy(DirectoryEntry domainRoot)
    {
        string[] policyAttributes = new string[] {
  "maxPwdAge", "minPwdAge", "minPwdLength", 
  "lockoutDuration", "lockOutObservationWindow", 
  "lockoutThreshold", "pwdProperties", 
  "pwdHistoryLength", "objectClass", 
  "distinguishedName"
  };

        //we take advantage of the marshaling with
        //DirectorySearcher for LargeInteger values...
        DirectorySearcher ds = new DirectorySearcher(
          domainRoot,
          "(objectClass=domainDNS)",
          policyAttributes,
          SearchScope.Base
          );

        SearchResult result = ds.FindOne();

        //do some quick validation...         
        if (result == null)
        {
            throw new ArgumentException(
              "domainRoot is not a domainDNS object."
              );
        }

        this.attribs = result.Properties;
    }

Call this method to get the password expiration:

public TimeSpan MaxPasswordAge
    {
        get
        {
            string val = "maxPwdAge";
            if (this.attribs.Contains(val))
            {
                long ticks = GetAbsValue(
                  this.attribs[val][0]
                  );

                if (ticks > 0)
                    return TimeSpan.FromTicks(ticks);
            }

            return TimeSpan.MaxValue;
        }
    }

Code fails here because it cannot convert Long.MinValue, which it should not be in the first place

private long GetAbsValue(object longInt)
    {
        return Math.Abs((long)longInt);
    }

Here is the debugger output and values. According to the MSDN Site the overflow exception is caused from the minvalue. My numbers match the examples for minvalue.

Screenshot

A: 

Password expiration times are stored such that if lastPwdSet - maxPwdAge < DateTime.UtcNow is true, then your password is expired. So if you set your password a week ago, but the password will expire in 10 days, the left side will be (DateTime.UtcNow - 7) - (-10), or DateTime.UtcNow - 7 + 10, or DateTime.UtcNow + 3, which is not less than DateTime.UtcNow, so your password won't be expired.

This means that setting maxPwdAge to long.MinValue will effectively give you thousands of years before your password expires. So if you are getting long.MinValue, your policy says that passwords won't expire. You should just look for that value and treat it properly, possibly like this:

private long GetAbsValue(object longInt)  // poorly named
{
    long val = (long)longInt;
    if (val == long.MinValue)
        return long.MaxValue;
    return Math.Abs((long)longInt);  
}

Also, I should point out that the values are stored in 100-nanosecond increments, so you should expect values in the billions.

Gabe  2010-03-12 03:57:28
A: 

Thanks to gabe I realized that the domain GPO policy for passwords was not set to expire. Needed to increase the time as well as modify the code to catch both the Long.MinValue and Long.MaxValue as they both mean different things in AD.

Brent Pabst  2010-03-12 03:57:43

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?