Sysinternals Homepage
Forum Home Forum Home > Sysinternals Utilities > BgInfo
  New Posts New Posts RSS Feed - Display password expiration
  FAQ FAQ  Forum Search   Events   Register Register  Login Login

Display password expiration

 Post Reply Post Reply
Author
Message
sapper1 View Drop Down
Newbie
Newbie


Joined: 15 March 2017
Location: KS
Status: Offline
Points: 2
Post Options Post Options   Thanks (0) Thanks(0)   Quote sapper1 Quote  Post ReplyReply Direct Link To This Post Topic: Display password expiration
    Posted: 16 March 2017 at 6:20pm
Our users connect to our Widows 2008 r2 terminal servers. We us Bginfo to display basic information but we would also like to display how many days are left until the users password expires. I have tried several VBscripts, including some from this site, but none seem to work. The only result it displays is " The Maximum Password Age is set to 0 in the domain. Therefore, the password does not expire".

Our passwords are in fact set to expire every 120 days via GPO and this is functioning properly. 

Any guidance would be appreciated. Below is the script I am currently trying to use.

On Error Resume Next

Const ADS_UF_DONT_EXPIRE_PASSWD = &h10000
Const E_ADS_PROPERTY_NOT_FOUND  = &h8000500D
Const ONE_HUNDRED_NANOSECOND    = .000000100
Const SECONDS_IN_DAY            = 86400

' Get UserName
Dim objNetwork, userName
Set objNetwork = CreateObject("WScript.Network")

userName = objNetwork.UserName

Set objUser = GetObject("LDAP://CN=" & OU=Accounts,DC=A,DC=B,DC=C,DC=com")

intUserAccountControl = objUser.Get("userAccountControl")
If intUserAccountControl And ADS_UF_DONT_EXPIRE_PASSWD Then 
    echo "The password does not expire."
    WScript.Quit
Else
    dtmValue = objUser.PasswordLastChanged
    If Err.Number = E_ADS_PROPERTY_NOT_FOUND Then              
        echo "The password has never been set."
        WScript.Quit
    Else
        intTimeInterval = Int(Now - dtmValue)
        echo "The password was last set on " & _
          DateValue(dtmValue) & " at " & TimeValue(dtmValue)  & vbCrLf & _
          "The difference between when the password was last" & vbCrLf & _
          "set and today is " & intTimeInterval & " days"
    End If

    Set objDomain = GetObject("LDAP://OU=Accounts,DC=A,DC=B,DC=C,DC=com")
    Set objMaxPwdAge = objDomain.Get("maxPwdAge")

    If objMaxPwdAge.LowPart = 0 Then
        Echo "The Maximum Password Age is set to 0 in the " & _
                     "domain. Therefore, the password does not expire."
        WScript.Quit
    Else
        dblMaxPwdNano = _
            Abs(objMaxPwdAge.HighPart * 2^32 + objMaxPwdAge.LowPart)
        dblMaxPwdSecs = dblMaxPwdNano * ONE_HUNDRED_NANOSECOND  
        dblMaxPwdDays = Int(dblMaxPwdSecs / SECONDS_IN_DAY)     
        echo "Maximum password age is " & dblMaxPwdDays & " days"

        If intTimeInterval >= dblMaxPwdDays Then
            echo "The password has expired."
        Else
            echo "The password will expire on " & _
              DateValue(dtmValue + dblMaxPwdDays) & " (" & _
              Int((dtmValue + dblMaxPwdDays) - Now) & " days from today)."
        End If
    End If
End If




Edited by sapper1 - 16 March 2017 at 6:32pm
Back to Top
WindowsStar View Drop Down
Senior Member
Senior Member
Avatar

Joined: 30 June 2010
Status: Offline
Points: 768
Post Options Post Options   Thanks (0) Thanks(0)   Quote WindowsStar Quote  Post ReplyReply Direct Link To This Post Posted: 19 March 2017 at 6:12am
This is a problem when on a domain and I have seen it a few times. I cannot remember where but when I was working on a similar problem I found the reason why the VBScripts don't always work or they are not correct etc. The issue is that most domains have more than one domain controller and the password information is not or does not get stored on all domain controllers. When you are looking at password expiration from AD that application knows how to search the whole domain for the information but the VBScript is only checking the single domain controller it is connected to. All that said what I did to make my VBScripts work with password expiration and a few other user settings it have the script check each domain controller, store the results and find the information I need and then display it. That seems to  have worked every time. -WS
Back to Top
bmv98rus View Drop Down
Newbie
Newbie


Joined: 24 September 2016
Status: Offline
Points: 17
Post Options Post Options   Thanks (0) Thanks(0)   Quote bmv98rus Quote  Post ReplyReply Direct Link To This Post Posted: 21 April 2017 at 6:55am
This construction
Set objDomain = GetObject("LDAP://OU=Accounts,DC=A,DC=B,DC=C,DC=com")
    Set objMaxPwdAge = objDomain.Get("maxPwdAge")
return the value that should be defined in domain and on the domain controller. I think your GPO change it only for an user.
Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down

Forum Software by Web Wiz Forums® version 11.06
Copyright ©2001-2016 Web Wiz Ltd.