Script Repository


Save password expiration date to text attribute

February 22, 2021
1794

Starting from Windows Server 2008, you can use the value of the msDS-UserPasswordExpiryTimeComputed attribute to check when a user or computer password expires. The attribute stores the date as a Large Integer. You can use the below script in business rules, custom commands and scheduled tasks to convert the value of the attribute to a human-readable form and save it to a certain text attribute to be able to display the password expiration date to users. For example, you can create a scheduled task to update user or computer accounts with actual password expiration dates on a regular basis.

Note: To view when a user's password expires, you can also use the Password Expiration Date field when viewing user properties in the Web Interface, and also on the Account tab of the dialog used to display user properties in the Administration Console. To calculate an expiration date to be displayed in the Password Expiration Date field and on the Account tab, Adaxes needs read access to Password Policies applied in your AD domains. Use the script as a workaround if you cannot provide access to the Password policies.

Parameter:

  • $passwordExpiryTimeAttributeName - Specifies the LDAP display name of the attribute that will be used for storing password expiry dates in human-readable form.

Edit Remove
PowerShell
$psswordExpiryTimeAttributeName = "adm-CustomAttributeText1" # TODO: modify me

# Get the computed expiry time
$value = $Context.TargetObject.Get("msDS-UserPasswordExpiryTimeComputed")    

switch ($value)
{
    "9223372036854775807"
    {
        $value = "never"
    }
    "0"
    {
        $value = "unspecified"
    }
    default
    {
        $value = [DateTime]::FromFiletime([Int64]::Parse($value))
    }
}

# Update the user
$Context.TargetObject.Put($psswordExpiryTimeAttributeName, $value)
$Context.TargetObject.SetInfo()

Comments ( 10 )
avatar
Sandra Mitchell
Mar 11, 2021
I'm interested in a script that will return the number of days before the password expires in a readable format. I'm working on a task that will send reminders ONLY to staff members whose password is expiring in 10 days or 3 days. I know there's a built-in function that exists, but it looks as though it would flood the logs with all user data, which I'm trying to avoid.
avatar
Support
Mar 12, 2021
Hello Sandra,

It can be done using a scheduled task. In the task, use the If account/password <expiration status> condition. For example:

To include the number of days left before the user password expiration into the email notification, use the %adm-PasswordExpiresDaysLeft% value reference. Finally, the scheduled task will look as follows:
avatar
Sandra Mitchell
Mar 12, 2021
Thanks for the reply. I'm concerned with a log being generated for each user (4K) every night if we implement it this way, which is why I'd prefer to do it in a Powershell script that runs nightly. Can you assist with that?
avatar
Support
Mar 15, 2021
Hello Sandra,

Log records will not be created for all the users that are present in the Activity Scope of the scheduled task. It will only be done for users that meet the conditions and for which the email notification is sent. Using a script will create only a single log record for the script execution. If you still prefer using a script, we will provide you with it.
avatar
Sandra Mitchell
Mar 15, 2021
I would prefer a script so that there is just a single log record for the script execution. I will use LogMessage within the script if I want to capture details. I look forward to whatever you can provide.

Thanks!
avatar
Support
Mar 16, 2021
Hello Sandra,

Thank you for specifying. There are two options for the script.
  1. It will be executed in a scheduled task configured for the Domain-DNS object type, search for users whose passwords are about to expire in all the managed domains and send email notifications to the users.
  2. It will be executed in a scheduled task configured for the Organizational Unit object type, search for users whose passwords are about to expire in each OU present in the Activity Scope of the task and send email notifications to the users.
Please, specify which approach meets your needs and we will get back to you with the script. Also, please, specify what should be done if a recipient has no email address specified.
avatar
Sandra Mitchell
Mar 17, 2021
I want it to be a scheduled task configured for the Domain-DNS. If the recipient has no email address specified, log a message and skip.

Thanks...
avatar
Support
Mar 18, 2021
Hello Sandra,

Thank you for the confirmation. Have a look at the following script from our repository: https://www.adaxes.com/script-repository/notify-users-whose-passwords-are-to-expire-after-a-specific-number-of-days-s606.htm.
avatar
Sandra Mitchell
Mar 18, 2021
That link takes me to a script labelled "Save password expiration date to text attribute". That's not what I need. Please double-check the link you provided.

Thanks...
avatar
Support
Mar 18, 2021
Hello Sandra,

As per our check the URL is correct and leads to the script named Notify users whose passwords are to expire after a specific number of days. The script named Save password expiration date to text attribute is the one here. Here is the link to the script you need again: https://www.adaxes.com/script-repository/notify-users-whose-passwords-are-to-expire-after-a-specific-number-of-days-s606.htm.
Leave a comment