TechGenix and SolarWinds have partnered to provide a fully-functional, free 21-day trial version of SolarWinds ipMonitor, the WindowsNetworking.com Readers' Choice Award Winner for monitoring applications, servers, and network devices to all visitors who join Security Forums. Sign up to Security Forums and get your copy today! Existing members can pick up a copy from the Members Area.
| View previous topic :: View next topic |
| Author |
Message |
windude
New Member
Joined: 09 May 2007
Posts: 33
|
 Posted: Mon Sep 17, 2007 6:14 pm Post subject: How to view last password change date for a user in AD? |
 |
|
|
Is there anyway to view last password change date or days left before password expires for specified user?
|
|
| Back to top |
|
 |
AdamV
SF Mod
Joined: 06 Oct 2004
Posts: 4602
Location: Leeds, UK
|
|
| Back to top |
|
|
cconk01
Forum Addict
Joined: 10 Nov 2005
Posts: 456
Location: Maryland
|
| Posted: Mon Sep 17, 2007 9:17 pm Post subject: |
|
|
I too am defiently interested. 
|
|
| Back to top |
|
|
windude
New Member
Joined: 09 May 2007
Posts: 33
|
| Posted: Mon Sep 17, 2007 9:47 pm Post subject: |
|
|
|
I await your blog entry.
|
|
| Back to top |
|
|
AdamV
SF Mod
Joined: 06 Oct 2004
Posts: 4602
Location: Leeds, UK
|
| Posted: Mon Sep 17, 2007 9:53 pm Post subject: |
|
|
Finished!
Read about how to install and use AcctInfo.dll to access additional AD properties here
| A short extract from VeroBlog, where I wrote: |
AcctInfo is a dll file which is part of the free tools for the Windows 2003 resource kit, but can be used on 2003 or 2000 machines. It enables extended properties for the Active Directory Users and Computers (ADUC) MMC snapin.
This is one of those tools which is really useful, if only you knew it was available. Then of course you have to get round to installing it on all the machines where you might need to use it. However, once you have started using it you will be very pleased that you bothered. |
_________________
"Due to global warming, eskimos now have 20 words for water" John O'Farrell
Meteor IT - Technical Consulting Services and Software Training Courses, Leeds, UK
|
|
| Back to top |
|
|
windude
New Member
Joined: 09 May 2007
Posts: 33
|
| Posted: Mon Sep 17, 2007 10:08 pm Post subject: |
|
|
|
Thanks AdamV! Will this work on Windows XP with the resource kit installed? I ran regsvr32.exe acctinfo.dll and didn't see a Additional Account Info tab under my user properties. What type of privileges do I need for this to work?
|
|
| Back to top |
|
|
cconk01
Forum Addict
Joined: 10 Nov 2005
Posts: 456
Location: Maryland
|
| Posted: Mon Sep 17, 2007 10:42 pm Post subject: |
|
|
|
I had problems on my XP machine leaving the dll in the default location. I moved it to the root and used regsvr32 C:\Acctinfo.dll. Worked like a charm. As for privilges to install it locally you will need local admin rights im accuming to register the service.
|
|
| Back to top |
|
|
windude
New Member
Joined: 09 May 2007
Posts: 33
|
| Posted: Tue Sep 18, 2007 6:17 pm Post subject: |
|
|
|
The Additional Account info tab seems to be only visible when I manually browse for a user in ADUC. When I use the Find function, the tab doesn't appear under the user's properties window. Is this the same case for everyone else? Is there a way to get it to work using the Find?
|
|
| Back to top |
|
|
AdamV
SF Mod
Joined: 06 Oct 2004
Posts: 4602
Location: Leeds, UK
|
| Posted: Wed Sep 19, 2007 1:40 pm Post subject: |
|
|
You are right, that seems to be the behaviour anywhere except in ADUC directly.
It does not work in the SBS management console, nor from a "find" result. Same behaviour whether you leave the DLL in resource kit\tools or copy it to windows\system32 (and re-register it)
I've updated the blog post and given credit to Windude for pointing this out. I have not updated the info about where to install and register it, since it does not seem to make any difference.
_________________
"Due to global warming, eskimos now have 20 words for water" John O'Farrell
Meteor IT - Technical Consulting Services and Software Training Courses, Leeds, UK
|
|
| Back to top |
|
|
baileyk9
Just Arrived
Joined: 22 Aug 2007
Posts: 7
Location: Raleigh, NC
|
| Posted: Wed Sep 19, 2007 7:30 pm Post subject: |
|
|
You could also use CSVDE to look at the Pwd-Last-Set Attribute (pwdLastSet) value. This is a rather simple approach.
for example, from a command line:
CSVDE -f outputfile.csv -r objectClass=user -l "pwdLastSet"
for all users.
or for a specific user named BaileyK9:
CSVDE -f outputfile.csv -r "(&(objectClass=user)(name=BaileyK9))" -l "pwdLastSet"
_Pwd-Last-Set Attribute_
(from http://msdn2.microsoft.com/en-us/library/ms679430.aspx):
The date and time that the password for this account was last changed. This value is stored as a large integer that represents the number of 100 nanosecond intervals since January 1, 1601 (UTC). If this value is set to 0 and the User-Account-Control attribute does not contain the UF_DONT_EXPIRE_PASSWD flag, then the user must set the password at the next logon.
Last edited by baileyk9 on Wed Sep 19, 2007 7:45 pm; edited 1 time in total |
|
| Back to top |
|
|
baileyk9
Just Arrived
Joined: 22 Aug 2007
Posts: 7
Location: Raleigh, NC
|
| Posted: Wed Sep 19, 2007 7:39 pm Post subject: |
|
|
also, using CSVDE (or other tools, LDIFDE, etc), this attribute might be useful regarding the original question:
"accountExpires"
_Account Expires_
"accountExpires"
The Account Expires control displays the date that the account will expire at the end of. The accountExpires attribute is stored as the date that the account expires on. Because of this, the date displayed in the Account Expires control will be displayed as one day earlier than the date contained in the accountExpires attribute.
(http://msdn2.microsoft.com/en-us/library/ms677980.aspx)
<> Bailey
|
|
| Back to top |
|
|
|
