3 replies to this topic

[pmcx]

Hello

 

I just installed the free version of PEN.  I have 3 AD controllers that are on a 2012 servers.

 

When I first installed this, I generated a report of users with passwords that expire within 5 days.  Everything looked good.

I enabled the program to send the emails out.  PEN sent an email to everyone in my company.  I had 50+ users get an email saying ” Your password for account "X" expires in 0 day(s).”   These are users that had passwords that were not expiring

I verified this by running net user “user” /domain and looking at password expires date.

 

I disabled the sending of emails and set the program to email the daily report to myself on accounts with passwords expiring in 5 days.  After a couple of days the report looked correct.  I enabled the program to send emails again for users and had several valid users show up with expiring passwords. 

 

I checked a few of the names on each AD controller and all of their net use “user” /domain information matched up correctly. 

 

I am not sure why the software is generating false reports of expired passwords.

Does this software have an issue with 2012 AD servers?

The software is installed on a 2008r2 server but my AD controllers are 2012.

 

Thanks

Patrick

 

[jeffb]

Patrick,

 

The logic used to generate the admin report with password expiration is the same logic that determines if an email should be sent.  Although the paid version and the freeware version are technically different this logic shouldn't have changed in 6 or so years.  PEN just grabs the pwdlastset variable and subtracts that date from the current date based on the maxpasswordage set on the domain.  Other than the current date, the pwdlastset and maxpasswordage come directly from the "most available" domain controller and that DC which is being used should be in the tracing (install directory tracing folder).

 

-Jeff

[pmcx]

I looked in the logs located in C:\Program Files (x86)\Netwrix\Netwrix Password Expiration Notifier\Tracing

I looked at :

69067583-4fff-4b80-a866-75aafd54a1cdpen.txt

76317536-42dd-4bc2-a06f-3dfa0bd6de14pen.txt

pen.txt

 

I don't see anything like you are mentioning. 

What exact log file should I look for and what information should I look at or provide?

 

I also checked my users on all 3 domains - I verified this by running net user “user” /domain and looking at password expires date.

I am getting users daily who are not set to reset their password until the end of October / November.

 

For example

This is a user that has shown up on my report or received an email every day this week

Password last set            9/6/2016 7:38:55 AM
Password expires             11/5/2016 7:38:55 AM
Password changeable          9/7/2016 7:38:55 AM
Password required            Yes
User may change password     Yes

 

 

I noticed a different post, having the same issue, did not see that information in their log. 

There appears to be multiple posts with this issue

 

Again:

I am not sure why the software is generating false reports of expired passwords.

Does this software have an issue with 2012 AD servers?

The software is installed on a 2008r2 server but my AD controllers are 2012

 

I can try switching to the trial edition of the paid version and contacting support.  We wanted to try this out first as our evaluation.  There is no point in moving forward with the software if I cant get this feature to work.

[pmcx]

I don't see that I or others are going to get further help on this.  I am not going to waste my time on testing this or  the full product.  I will look for other products