Active Directory user password expiration date .NET/OU Group Policy
Solution 1
Let me start with http://support.microsoft.com/kb/323750 which contains Visual Basic and VBScript examples and http://www.anitkb.com/2010/03/how-to-implement-active-directory.html which outlines how the maxPwdAge OU setting impacts computers, not users. It also has a comment pointing to AloInfo.exe as a tool from MS that can be used to get password ages.
Here is the example:
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.DirectoryServices;
namespace LDAP
{
class Program
{
static void Main(string[] args)
{
string domainAndUsername = string.Empty;
string domain = string.Empty;
string userName = string.Empty;
string passWord = string.Empty;
AuthenticationTypes at = AuthenticationTypes.Anonymous;
StringBuilder sb = new StringBuilder();
domain = @"LDAP://w.x.y.z";
domainAndUsername = @"LDAP://w.x.y.z/cn=Lawrence E."+
" Smithmier\, Jr.,cn=Users,dc=corp,"+
"dc=productiveedge,dc=com";
userName = "Administrator";
passWord = "xxxpasswordxxx";
at = AuthenticationTypes.Secure;
DirectoryEntry entry = new DirectoryEntry(
domain, userName, passWord, at);
DirectorySearcher mySearcher = new DirectorySearcher(entry);
SearchResultCollection results;
string filter = "maxPwdAge=*";
mySearcher.Filter = filter;
results = mySearcher.FindAll();
long maxDays = 0;
if(results.Count>=1)
{
Int64 maxPwdAge=(Int64)results[0].Properties["maxPwdAge"][0];
maxDays = maxPwdAge/-864000000000;
}
DirectoryEntry entryUser = new DirectoryEntry(
domainAndUsername, userName, passWord, at);
mySearcher = new DirectorySearcher(entryUser);
results = mySearcher.FindAll();
long daysLeft=0;
if (results.Count >= 1)
{
var lastChanged = results[0].Properties["pwdLastSet"][0];
daysLeft = maxDays - DateTime.Today.Subtract(
DateTime.FromFileTime((long)lastChanged)).Days;
}
Console.WriteLine(
String.Format("You must change your password within"+
" {0} days"
, daysLeft));
Console.ReadLine();
}
}
}
Solution 2
The following code worked for me to get the password expiration date on both domain and local user accounts:
public static DateTime GetPasswordExpirationDate(string userId, string domainOrMachineName)
{
using (var userEntry = new DirectoryEntry("WinNT://" + domainOrMachineName + '/' + userId + ",user"))
{
return (DateTime)userEntry.InvokeGet("PasswordExpirationDate");
}
}
Solution 3
Use following method to get expiration date of the account-
public static DateTime GetPasswordExpirationDate(string userId)
{
string forestGc = String.Format("GC://{0}", Forest.GetCurrentForest().Name);
var searcher = new DirectorySearcher();
searcher = new DirectorySearcher(new DirectoryEntry(forestGc));
searcher.Filter = "(sAMAccountName=" + userId + ")";
var results = searcher.FindOne().GetDirectoryEntry();
return (DateTime)results.InvokeGet("PasswordExpirationDate");
}
Solution 4
Some of the previous answers rely on the DirectoryEntry.InvokeGet method, which MS says should not be used. So here's another approach:
public static DateTime GetPasswordExpirationDate(UserPrincipal user)
{
DirectoryEntry deUser = (DirectoryEntry)user.GetUnderlyingObject();
ActiveDs.IADsUser nativeDeUser = (ActiveDs.IADsUser)deUser.NativeObject;
return nativeDeUser.PasswordExpirationDate;
}
You'll need to add a reference to the ActiveDS COM library typically found at C:\Windows\System32\activeds.tlb.
dexter
Updated on May 17, 2020Comments
-
dexter almost 4 years
I have searched the site for information and found this: ASP.NET C# Active Directory - See how long before a user's password expires
which explains how to get the value of when the password expires as per Domain Policy.
My question is this: what if the user has an OU Group Policy that has a different MaxPasswordAge value, overriding the one specified in Domain Group Policy? How to programatically get the OU's Group Policy Object?
Edit: To make this question a little bit more clear, I am adding this edit. What I am after is to being able to tell when user's password expires. As far as I understand that date value can either be governed by domains local policy or by group object policy. I have a Linq2DirectoryService Provider that translates Linq to Ldap queries. So an LDAP query to get the date expiration value would be optimal for this subj. If you answer includes what objects wrappers supported by .net are included into this equation - it would be a dead on answer!