Active Directory User Info

Question

I have my application setup to query AD for the logged in user's information, so I can take the last password set date and calculate when the user's password will expire. This feature runs fine under my id, but when an average (non-admin) user logs in the ADUser information indicates that the User cannot change their password.

Any idea why? The code I am using is here...

Public Function GetDaysToExpire(ByRef Days As Integer) As adResults
    Dim pc As New PrincipalContext(DirectoryServices.AccountManagement.ContextType.Domain)
    Dim adUser As UserPrincipal = UserPrincipal.FindByIdentity(pc, Environment.UserName)
    Dim Expdate As Date
    Dim RC As adResults
    Days = -1

    If adUser Is Nothing Then
        exError = New Exception("User Account " & Environment.UserName & " not found")
        RC = adResults.ERROR
    Else
        '== If a password change is never necessary or not possible
        If adUser.PasswordNeverExpires Then
            RC = adResults.PWD_DOES_NOT_EXPIRE          '== This is the value returned
        ElseIf adUser.PasswordNotRequired Then
            RC = adResults.PWD_NOT_REQUIRED
        ElseIf adUser.UserCannotChangePassword Then
            RC = adResults.PWD_USER_CANNOT_CHANGE
        Else
            Expdate = adUser.LastPasswordSet
            Days = DateDiff(DateInterval.Day, Expdate, Now)
            Days = PWD_EXPIRE_DAYS - Days - 1
            RC = adResults.OK
        End If
    End If
    pc.Dispose()
    adUser.Dispose()
    Return RC
End Function

This kind of attribute is linked to the NT-Security-Descriptor, which requires special user permissions to be read. Although the subject is not exactly the same, I advise you to read this excellent article by @gabriel Luci: https://stackoverflow.com/questions/70432952/c-sharp-how-to-get-the-ad-user-cannot-change-the-password-property-from-ldap-att It contains links to similar subjects that should help you. — tuyau2poil, Mar 04 '23 at 08:54

Active Directory User Info

0 Answers0