Active Directory Password Expiration Date

Question

This is somewhat connected to this post, which I didn't want to pollute.

Active Directory user password expiration date .NET/OU Group Policy

Like the OP in that thread, I'm trying to get the password expiration date of a given AD UserName via code; however the attribute maxPwdAge referred in the thread above is not available when I tried to get all the available properties like this:

            PropertyCollection fields = myLDAP.Properties;

            foreach (String ldapField in fields.PropertyNames)
            {
                // cycle through objects in each field e.g. group membership  
                // (for many fields there will only be one object such as name)  

                foreach (Object myCollection in fields[ldapField])
                    Console.WriteLine(String.Format("{0,-20} : {1}",
                                  ldapField, myCollection.ToString()));
            }

Even Microsoft's ADExplorer didn't show a password expiration date.

But when I try this command prompt command:

net user thatuser /DOMAIN

it displays Password Expiration Date.

My questions are:

1. Why don't I see maxPwdAge as an attribute
2. Where does the net user command get the Password Expiration Date from and how can I obtain it in C# code?

Right now I'm testing this with a Console Application; while testing this, it was discovered that there isn't .Net 4.0 installed on the target machine, so I'm stuck with .Net 3.5

I'm not a server admin, so I don't know the configuration details of the server. I'm new to this AD LDAP, so please help. Thank you.

Answer 1

maxPwdAge defines how long a password can be valid for, not when it expires.

It is a property set at group level, not a user property.

What you are interested in is probably maxPwdAge + pwdLastSet.

(pwdLastSet is a user property)

Answer 2

In one of my projects, I had to read maxPwdAge from the domain object and add that value to the lastPwdSet property of the user.