Jump to content


Photo

Persistent zero day expiration


  • Please log in to reply
3 replies to this topic

#1 sdwc

sdwc

    Newbie

  • Members
  • Pip
  • 2 posts

Posted 24 September 2014 - 02:02 AM

Hi,

I am currently evaluation PEN and so far it seems to do what it advertises however I have one minor issue I need cleared up before committing to purchase.

I have had it installed and working for a couple of weeks now and a report is generated and sent to me a 3.00am each morning with a list of expiring passwords. This list includes user names and the number of days remaining before their passwords expire. I have one user that was listed with a password expiry "in 0 days" in the first generated report along with a couple of other users also expiring in 0 days. Two weeks later that same user is still listed in my daily reports as having her password expiring in 0 days even though her password has been changed. Any ideas on why this would happen.

Also, I just want to confirm whether the templates for emails sent to users can be changed or can this only be done in the licensed version.

Thanks in advance,

SDWC

#2 jeffb

jeffb

    Advanced Member

  • Administrators
  • PipPipPip
  • 378 posts
  • Gender:Male

Posted 24 September 2014 - 01:18 PM

SDWC,

If you are using the Trial version of Password Expiration that version has free phone and email based support so it is not necessary to post on these forums unless you are using the freeware version. I just wanted to make sure you knew that. Anyways, what the product does is check the pwdLastSet attribute for a user in order to determine if their password has been reset and then just does the math current day - pwdLastSet and then subtracts that value from the domains password reset policy. So if her account is incorrectly showing 0 days until password reset then the pwdLastSet value in AD on at least one of the domain controllers is incorrectly showing an old date.

In regards to the templates they are modifiable in the trial and full paid versions but not modifiable in the freeware version.

-Jeff

#3 sdwc

sdwc

    Newbie

  • Members
  • Pip
  • 2 posts

Posted 25 September 2014 - 12:35 AM

SDWC,

If you are using the Trial version of Password Expiration that version has free phone and email based support so it is not necessary to post on these forums unless you are using the freeware version. I just wanted to make sure you knew that. Anyways, what the product does is check the pwdLastSet attribute for a user in order to determine if their password has been reset and then just does the math current day - pwdLastSet and then subtracts that value from the domains password reset policy. So if her account is incorrectly showing 0 days until password reset then the pwdLastSet value in AD on at least one of the domain controllers is incorrectly showing an old date.

In regards to the templates they are modifiable in the trial and full paid versions but not modifiable in the freeware version.

-Jeff


Thanks Jeff.

I retrieved the pwdlastset information for the user on both domain controllers and it shows a date from 60 days ago. This is interesting as GPO has maximum password age significantly less than 60 days.

This is obviously not an issue with PEN but thanks anyway.

BTW I am using the free version with the view to buy the fully licensed version. However, I have just been told you no longer sell the Password Expiration Notifier as a standalone solution and that it is now part of Netwrix Auditor for Active Directory. Unfortunately this may be overkill for me.

SDWC


#4 jeffb

jeffb

    Advanced Member

  • Administrators
  • PipPipPip
  • 378 posts
  • Gender:Male

Posted 26 September 2014 - 11:58 AM

SDWC,

If you are speaking with a sales rep let them know. Maybe they can work something out with you.

-Jeff




0 user(s) are reading this topic

0 members, guests, anonymous users