I have problems understanding how pwd mgmt and expiration checks are performed.
I inherited a w2k3 sp1 server that is also domain controller and that is also the exchange server (2003 sp1).
There is only one domain in the forest.
Diving into documentation and searching through the internet I found references to:
1) the "accountexpires" attribute of a user that defaults to never in my domain (1/1/1970 that is interpreted as never expire for m$ weirdness or nt inheritance...who knows) but I can set it for a user, using act dir user and comp, selecting the user and selecting the accout tab, then setting the date inside "Account expires" frame.
For example end of 11 Dec 2006.
And I see in ADSIEdit that the value now is 128103516000000000 (marvellous decision the 100th of nanoseconds since 1/1/1601 12am date rapresentation, well done....)
2) the computed value, derived from "maxpwdage" (that is negative number) domain attribute and "pwdLastSet" attribute for the user.
pwdLastSet-maxpwdage gives the date when the account will expire
In my example they are -43200000000000 (-50 days) and 128008193462031250 (Wed Aug 23 17:09:06 2006), so that the password should expire at Thu Oct 12 17:09:06 2006...
I thought these were two aspects of the same medal, but it doesn't seem so.
a) If for example I access the domain account mailbox from internet explorer, I receive the warning that the password is expiring in xxx days, that is consistent with 2) (in another example where effectively the user is in expiration notification range, not in this particular one)
b) if i log in in a workstation of the domain with the same user and change the password, I see that pwdlastset attribute is updated but not the accountexpires one. Should instead this happen?
Can anyone clarify, please?
Thanks in advance
Gianluca
I inherited a w2k3 sp1 server that is also domain controller and that is also the exchange server (2003 sp1).
There is only one domain in the forest.
Diving into documentation and searching through the internet I found references to:
1) the "accountexpires" attribute of a user that defaults to never in my domain (1/1/1970 that is interpreted as never expire for m$ weirdness or nt inheritance...who knows) but I can set it for a user, using act dir user and comp, selecting the user and selecting the accout tab, then setting the date inside "Account expires" frame.
For example end of 11 Dec 2006.
And I see in ADSIEdit that the value now is 128103516000000000 (marvellous decision the 100th of nanoseconds since 1/1/1601 12am date rapresentation, well done....)
2) the computed value, derived from "maxpwdage" (that is negative number) domain attribute and "pwdLastSet" attribute for the user.
pwdLastSet-maxpwdage gives the date when the account will expire
In my example they are -43200000000000 (-50 days) and 128008193462031250 (Wed Aug 23 17:09:06 2006), so that the password should expire at Thu Oct 12 17:09:06 2006...
I thought these were two aspects of the same medal, but it doesn't seem so.
a) If for example I access the domain account mailbox from internet explorer, I receive the warning that the password is expiring in xxx days, that is consistent with 2) (in another example where effectively the user is in expiration notification range, not in this particular one)
b) if i log in in a workstation of the domain with the same user and change the password, I see that pwdlastset attribute is updated but not the accountexpires one. Should instead this happen?
Can anyone clarify, please?
Thanks in advance
Gianluca