11 replies to this topic

[TechOps]

I've been trialling the free version installed on a Windows 7 workstation against our Windows Server 2012 R2 domain controller, however the daily administrator e-mails have started alerting me with "passwords about to expire" which don't even appear a manually run report from within the configuration app.

 

For example, this morning's automated e-mail told me of a single user who's password is supposedly expiring in 3 days.

 

However, if I run the administrator report from the client station, it shows me 3 completely different users (no mention of the one from the automated e-mail) with passwords expiring in 12, 13, and 14 days respectively.  Something is VERY wrong with the functionality of this application.

[Kirill K]

Hi there,

 

Password Expiration Notification(PEN) operates with pretty simple algorithm, it is getting the following values of Active Directory:

1. Pwd-Last-Set attribute(pwdLastSet)

2. Maximum password age

3. E-mail-Addresses attribute(mail)

 

Then PEN calculates when the password is expired in by the following formula:

Maximum password age - (current day - pwdLastSet)

 

I do not think something wrong with PEN, maybe the password has been changed for that user before you run the report or you changed some settings of PEN.

[TechOps]

-snip- Replaced by next post. Could not delete.  :/

[TechOps]

Hi there,

 

Password Expiration Notification(PEN) operates with pretty simple algorithm, it is getting the following values of Active Directory:

1. Pwd-Last-Set attribute(pwdLastSet)

2. Maximum password age

3. E-mail-Addresses attribute(mail)

 

Then PEN calculates when the password is expired in by the following formula:

Maximum password age - (current day - pwdLastSet)

 

I do not think something wrong with PEN, maybe the password has been changed for that user before you run the report or you changed some settings of PEN.

 

Hi Kirill,

 

Settings are as follows:

 

Enable Password Expiration Notifier - Checked

Send reports to administrators - Checked

List users who accounts or passwords expire in days or less - 14

 

Advanced - Configure:

Include data on expiring accounts in reports - Checked

Ignore users with "Change password at next logon" option enabled - Checked

Ignore users with "Password never expires" option enabled - Checked

Ignore users who do not have email accounts - Checked

Ignore users whose passwords have already expired - Checked

Specify the account that will be used for data collection from the managed domain - Checked

 

This however still does not explain why the list of accounts in the automated e-mail would so wildly differ from the list in the manually generated report.

 

For example, today's automated e-mail listed 3 accounts with expiry in 2, 4, and 4 days respectively.  However a freshly generated manual report lists 3 entirely different accounts with expiry in 11, 12, and 12 days respectively.  None of the accounts in one list are also in the other list.

[TechOps]

Further update - a user who was not previously appearing on the Daily Administrative e-mail, and I had to reset their password yesterday (remote webmail only user).

 

Today, they've showed up on the report with their password supposedly expiring in 4 days.

 

Something is fundamentally broken with this application.

[Kirill K]

I am pretty sure something wrong with your end environment, check the 'pwdLastSet' attribute on all domain controllers and ensure that value is the same. 

[TechOps]

The PwdLastSet value is reporting the same on both domain controllers using the following PowerShell code:

 

$searcher=New-Object DirectoryServices.DirectorySearcher
$searcher.Filter="(&(samaccountname=_username_))"
$results=$searcher.findone()
[datetime]::fromfiletime($results.properties.pwdlastset[0])

 

Value being reported is February 26, 2019 9:37:00 AM

 

This user appeared once more on today's daily e-mail saying the password expires in 3 days.
 

[Kirill K]

DirectorySearcher.FindOne Method

Executes the search and returns only the first entry that is found.

https://docs.microso...framework-4.7.2

[TechOps]

I ran the PowerShell script by hand on each of the 2 domain controllers.  If you've a preferred method by which to gather the attribute's value, please let me know.

[Kirill K]

There are two domain controllers and I do not think it is big deal to check manually each one:

1. RDP > ADUC > User Account properties > Attribute Editor > pwdLastSet value

2. ADUC > connect first DC, then second  > User Account properties > Attribute Editor > pwdLastSet value

[TechOps]

Both domain controllers show the same value in the Attribute Editor as well.

 

A new example where both DCs show the same value is an account which had it's password changed on Feb. 27, but was listed on e-mails over the weekend and finally this morning with 0 days remaining.

[TechOps]

Another instance - user just showed up on the list this morning, reporting 4 days until password expires.  Check PwdLastSet attribute on both domain controllers through ADUC - 2019-Mar-06 12:21:49 PM MST.