2 Replies Latest reply on Oct 4, 2010 11:11 AM by keyman

    Password Expiration In Active Directory


      Is there a way to tell when a password is expired (or if its already expired) in active directory using cfldap or ColdFusion?
      Also, is there a way for a user to modify their own AD password through CF?

        • 1. Re: Password Expiration In Active Directory
          Michael Level 1
          1. There is an attribute "accountExpires" that contains a timestamp in the number of milliseconds from Jan 1, 1970. Also, check out "userAccountControl". That attribute also controls if an account is disabled or not. I don't remember, however, if it changes when an account is expired. That would be easy enough to test, however.

          2. Yes, but it requires installing an SSL cert on the CF server and using secured LDAP. Also, you have to convert the password value to unicode. The attribute is "unicodePwd". I have not done this because I use an easier method.

          Use CFEXECUTE to run the "net user" command. You can use that command to set a domain account's password. The main requirement is that your CF service must be running as a domain account. That same domain account must also be a member of the Account Operators domain group. (Or, at least, have permissions to change a user's password.)
          • 2. Re: Password Expiration In Active Directory

            I am retrieving the accountExpires field from an AD  table. In another article I've read that this value is the number of 100's of nanoseconds since 1/1/1601.


            I can't get a correct date using either combination of dates / values mentioned in this thread. For one thing, CF integers can't accept this double word value, but it would seem possible to use the high-order half of the value only, as the low-order side consiste of 9 zeros, uniformly for all rows . Has anyone retrieved/converted this date successfully, or could offer some suggestions?

            - keyman


            2 days later: Since posting the above, I have solved my problem, like this, FWIW:


            <!--- (accountexpires is an 18-digit field, of which the low-order 9 are all zeros).--->

            <cfset aa = left(accountexpires,9)/36>   <!---  hundreds of nanoseconds to hours --->
            <cfset bb = dateadd("h",(aa-24),"1601/01/01")>



            Message was edited by: keyman