How to learn whether a user password is expired or not in Active Directory?

Question

In my ASP.NET MVC (C#) project I must learn whether a user password is expired or not? I found some answers about that on the internet but they didn't be useful for me.

The first way to do using maxpwdage +pwdlastset= password expired date, and the second solution is that using useraccountcontrol attribute to learn whether it is expired or not. If this attribute's value is 8389120, user password is expired.

Altough user password is expired in AD, useraccountcontrolvalue is still 512. I tried to do with maxpwdage+pwdlastset but I couldn't see an attribute like maxpwdage (I got users as an administrator)

Active Directory user password expiration date .NET/OU Group Policy (first way) https://support.microsoft.com/en-us/kb/305144 (second way)

Both of them aren't working because of reasons that I mentioned above.

Are there any other ways to do this or how can i see value of the maxpwdage attribute?

EDIT: I am getting the user who i want from here

            DirectoryEntry dEntry = new DirectoryEntry
                        ( "LDAP://a.b.c:123/OU=d, DC=e, DC=f", this.GetAdUserName(),
                        this.GetAdUserPassword() );
            DirectorySearcher directorySearcher = new DirectorySearcher( dEntry );
            directorySearcher.Asynchronous = true;
            directorySearcher.CacheResults = true;
            directorySearcher.Filter = "(&(sAMaccountName=" + identificationNumber + "))";
            SearchResult user = directorySearcher.FindOne();
            return user;

I am checking user's properties but I couldn't find maxpwdage property.

You might have to load the `maxPwdAge` Property. `userEntry.RefreshCache(new string[] { "maxPwdAge" });` — C0d1ngJammer, Apr 10 '15 at 08:18
What exception are you using to catch the exeptions which occours when for example the pw is wrong? — C0d1ngJammer, Apr 10 '15 at 08:21
@manuchao I tried userEntry.RefreshCache(new string[] { "maxPwdAge" }); but I still can't see maxpwdage property. — Uygar Kahraman, Apr 10 '15 at 11:33

goGud · Answer 1 · 2015-04-10T12:17:22.377

You can use TimeSpan which represent time interval. And then all you need is check today's date and expired date.

DateTime expireDate = passwordLastChanged.AddDays(iMaxPwdAge);
TimeSpan ts = expireDate - DateTime.Now;
int iDaysTilExpired = ts.Days;
WriteLogMessage("Days til password expires:" + iDaysTilExpired);

And also there is a good example, I changed someparts for my project and it works for me.

Edit :

You can use attribute msDS-UserPasswordExpiryTimeComputed for getting user password expiration date.

and also

The 'maxPwdAge' attribute is held on the domainDNS class (the root of the directory) as it is part of policy. It is not held on the user object. If you are using .NET 2.0, you can get this easily:

using (DirectoryEntry domain = Domain.GetCurrentDomain())
{
    DirectorySearcher ds = new DirectorySearcher(
        domain,
        "(objectClass=*)",
        null,
        SearchScope.Base
        );

        SearchResult sr = ds.FindOne();

        TimeSpan maxPwdAge = TimeSpan.MinValue;

        if (sr.Properties.Contains("maxPwdAge"))
            maxPwdAge = TimeSpan.FromTicks((long)sr.Properties["maxPwdAge"][0]);
}

Edit 2 :

Here is full example you can use:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.DirectoryServices;

namespace LDAP
{
    class Program
    {
        static void Main(string[] args)
        {
            string domainAndUsername = string.Empty;
            string domain = string.Empty;
            string userName = string.Empty;
            string passWord = string.Empty;
            AuthenticationTypes at = AuthenticationTypes.Anonymous;
            StringBuilder sb = new StringBuilder();

            domain = @"LDAP://w.x.y.z";
            domainAndUsername = @"LDAP://w.x.y.z/cn=Lawrence E."+
                        " Smithmier\, Jr.,cn=Users,dc=corp,"+
                        "dc=productiveedge,dc=com";
            userName = "Administrator";
            passWord = "xxxpasswordxxx";
            at = AuthenticationTypes.Secure;

            DirectoryEntry entry = new DirectoryEntry(
                        domain, userName, passWord, at);

            DirectorySearcher mySearcher = new DirectorySearcher(entry);

            SearchResultCollection results;
            string filter = "maxPwdAge=*";
            mySearcher.Filter = filter;

            results = mySearcher.FindAll();
            long maxDays = 0;
            if(results.Count>=1)
            {
                Int64 maxPwdAge=(Int64)results[0].Properties["maxPwdAge"][0];
                maxDays = maxPwdAge/-864000000000;
            }

            DirectoryEntry entryUser = new DirectoryEntry(
                        domainAndUsername, userName, passWord, at);
            mySearcher = new DirectorySearcher(entryUser);

            results = mySearcher.FindAll();
            long daysLeft=0;
            if (results.Count >= 1)
            {
                var lastChanged = results[0].Properties["pwdLastSet"][0];
                daysLeft = maxDays - DateTime.Today.Subtract(
                        DateTime.FromFileTime((long)lastChanged)).Days;
            }
            Console.WriteLine(
                        String.Format("You must change your password within"+
                                      " {0} days"
                                     , daysLeft));
            Console.ReadLine();
        }
    }
}

thanks for your help i exactly did whay you said but I still can't see maxPwdAge in 14 properties. — Uygar Kahraman, Apr 10 '15 at 12:05
@UygarKahraman Please give more information, is there any error?, in which step you failed, why you cant see? are you using administrator privileges ? — goGud, Apr 10 '15 at 12:07
i am not getting any error or exception. I must determine expired date and redirect the user whose password was expired to 'ChangePassword page'. To do this i must learn whether his/her password is expired or not and to do this i must use maxpwdage property. I have admin privileges, I am getting the user who i want and i am looking this user's properties. MaxPwdAge isn't in these properties. That's the problem — Uygar Kahraman, Apr 10 '15 at 12:13
When i use filter "maxpwdage=*" number of elements of user is 0 because there are no property named maxpwdage to filter — Uygar Kahraman, Apr 10 '15 at 12:34
@UygarKahraman what about my full example ? Did you test it? It should work, at least for me it is. — goGud, Apr 10 '15 at 12:35
thanks for it. I tried it but result is the same :\ no result was be returned because of maxpwd age is not in properties. — Uygar Kahraman, Apr 10 '15 at 12:36
So you have another problem need to go deeper.. Because filtering maxPwdAge should give result of expiration date of password — goGud, Apr 10 '15 at 12:37
you are right bro. If i succeed i will edit my question thanks for your help again. — Uygar Kahraman, Apr 10 '15 at 12:39
I was about to upvote until I saw that the code from "Edit 2" was copied verbatim, without attribution, from [another answer](http://stackoverflow.com/a/4181487/1248365)! — Adi Inbar, May 20 '15 at 18:28
@AdiInbar The code in "Edit 2" is from social.msdn, not stackoverflow.. Actually I didnt check it until you give link for stackoverflow..Please upvote another answer which is older. — goGud, May 20 '15 at 21:11

How to learn whether a user password is expired or not in Active Directory?

1 Answers1