Expired password Event ID in Window Server 2012
In short, no.
A password expiration isn't really an event that happens. It's a calculation that DCs perform at the moment of authentication based on the attributes on the account and password policies that apply to the account. An account whose password is currently expired might no longer be expired if you change the policies surrounding maximum password age or add a flag that it never expires.
So if you're trying to write a script that does something with accounts who have expired passwords, you're going to have to do it as a point-in-time sort of calculation as well. If your AD is 2008 based or later, you have access to the msDS-UserPasswordExpiryTimeComputed constructed attribute which basically takes into consideration everything that would contribute to a password's expiration and gives you a timestamp of when that user's password will (or has) expired.
Related videos on Youtube
patJR
Updated on September 18, 2022Comments
-
patJR over 1 year
Does any event id generates when user account password gets expired? I was hoping to write a script which triggers through event?
I did look around but did not find anything related to password expiration - only found related to account expiration.
-
Cory Knutson about 7 yearsWould you be open to a Powershell script that would find expired users?
-
patJR about 7 years@CoryKnutson That information is something I already know how to extract. I was hoping to reset expired password as some event Id generates (User by user) rather than reset all the expired account at once. Anyhow, thanks though
-
Art.Vandelay05 about 7 yearsOff the top of my head, the only Event ID I can think of that is close to what you want is 4771. That Event ID is triggered when a user has a login failure. One of the reason codes is "0x17: Password has expired The user’s password has expired". Again, not what you want. I know you want an event id triggered when the user's password has expired.
-
patJR about 7 years@Art.Vandelay05 Awesome. I will look into this ID. Could be useful actually. Reason of what I am trying to do is, we have a environment which is hardly accessed by users so mostly when they do access, their passwords are expired. So right now, I am thinking of a best solution to this issue. Thanks for suggestion.
-
Art.Vandelay05 about 7 years@patJR Cool. Glad to help out.
-
Lucky Luke about 7 yearsArt.Vandelay05 is right, Windows doesn't log an event just because a password expires. You can intercept a failed logon event like he said, and filter based on the failure reason - which is password expired. The only other option would be to write a script which scans AD or the local account database to find any accounts for which the password is expired.
-
patJR about 7 years@LuckyLuke Yup that is right. For Event 4771, do you know how should I enable this event? What setting in Group policy I mean? I dont see it in event viewer. Thanks
-
patJR about 7 years@LuckyLuke You were really close. Its the /..../Account Logon/Audit Kerberos Authentication Service. This setting generated the 4771. But again, Thanks for helping out.
-
Lucky Luke about 7 yearsAwesome, thanks for letting me know, glad it works now!
-