1

I have created a (PowerShell) wizard to guide a user through the process to (remotely) join his computer to the domain. The script runs under the login of the (standard) local administrator and queries AD and joins the computer (Add-Computer) using the credentials of the concerned user. The user has explicit permissions on one or more specific AD computer accounts to join that computer to the domain (he is not a domain administrator).

Everything works fine but for new hires the password is set to “User must change password at the next logon”. Whenever I query something in AD using the credentials of user which password is expired, I always get a general error: “unknown user name or bad password.”

How can I determine that the password is expired from the account itself (not using any other accounts) so that I prompt for a password change?

Is this possible at all? (How does the Windows OS do this at logon?)

This question is not the same as How can I query users with an expired password in Active Directory? because in this scenario, you have another account available to query AD.

Community
  • 1
  • 1
iRon
  • 20,463
  • 10
  • 53
  • 79

1 Answers1

3

found this, but unable to test at this point Get-ADUser $env:UserName -properties PasswordExpired, PasswordNeverExpires, PasswordLastSet

EDIT: As you mentioned, you can not query AD as you are running under a local admin account which is not part of AD and you do not have an AD account to query password expiration for the account you are testing.

This seems by design, for new hires you'd need to devise a way to make the password expire after a certain time, instead of upon first logon.

Vincent De Smet
  • 4,859
  • 2
  • 34
  • 41
  • Vincent, this is exactly were I am _not_ looking for. As explaned, the wizard runs under the local administrator account, `$env:UserName` can not logon as the computer is not joined yet and his password is expired. And if you do something like `Get-ADUser "User001" -Credential $User001Credential -properties PasswordExpired, PasswordNeverExpires, PasswordLastSet`, you get **Get-ADUser : Either the target name is incorrect or the server has rejected the client credentials.** when the user's own password is set to _“User must change password at the next logon”_ – iRon Jun 02 '15 at 07:55
  • I see, I guess when you use `Get-Credential` cmdlet to get $user001Credential, the pop-up doesn't query AD to verify credentials (and notify about expiry) either? – Vincent De Smet Jun 02 '15 at 08:05
  • Nope, as far as I can determine, `Get-Credential` doesn't access AD at all. – iRon Jun 03 '15 at 09:10
  • not sure if you figured this out yet, but wouldn't this SO question solve your issue then? http://stackoverflow.com/questions/10802850/validating-powershell-pscredential – Vincent De Smet Jun 08 '15 at 04:13
  • Unfortunately the [ValidateCredentials](https://msdn.microsoft.com/en-us/library/bb154889(v=vs.110).aspx) method, only returns a Boolean value that specifies whether the specified username and password are valid (no details whether the password is expired or not). – iRon Jun 09 '15 at 13:38
  • 1
    I guess it's by design for security reasons (kind of makes sense, if you're not authorized to access AD, you shouldn't be able to retrieve information such as if the account you're trying to break actually exists) – Vincent De Smet Jun 10 '15 at 04:09