Jump to content


Photo

Free Version - Expiration dates horribly wrong


  • Please log in to reply
11 replies to this topic

#1 TechOps

TechOps

    Newbie

  • Members
  • Pip
  • 8 posts

Posted 07 February 2019 - 05:49 PM

I've been trialling the free version installed on a Windows 7 workstation against our Windows Server 2012 R2 domain controller, however the daily administrator e-mails have started alerting me with "passwords about to expire" which don't even appear a manually run report from within the configuration app.

 

For example, this morning's automated e-mail told me of a single user who's password is supposedly expiring in 3 days.

 

However, if I run the administrator report from the client station, it shows me 3 completely different users (no mention of the one from the automated e-mail) with passwords expiring in 12, 13, and 14 days respectively.  Something is VERY wrong with the functionality of this application.



#2 Kirill K

Kirill K

    Advanced Member

  • Administrators
  • PipPipPip
  • 114 posts
  • Gender:Male

Posted 07 February 2019 - 08:44 PM

Hi there,

 

Password Expiration Notification(PEN) operates with pretty simple algorithm, it is getting the following values of Active Directory:

1. Pwd-Last-Set attribute(pwdLastSet)

2. Maximum password age

3. E-mail-Addresses attribute(mail)

 

Then PEN calculates when the password is expired in by the following formula:

Maximum password age - (current day - pwdLastSet)

 

I do not think something wrong with PEN, maybe the password has been changed for that user before you run the report or you changed some settings of PEN.


Best regards,
Forum Engineer
 


#3 TechOps

TechOps

    Newbie

  • Members
  • Pip
  • 8 posts

Posted 08 February 2019 - 06:37 PM

-snip- Replaced by next post. Could not delete.  :/



#4 TechOps

TechOps

    Newbie

  • Members
  • Pip
  • 8 posts

Posted 12 February 2019 - 11:59 PM

Hi there,

 

Password Expiration Notification(PEN) operates with pretty simple algorithm, it is getting the following values of Active Directory:

1. Pwd-Last-Set attribute(pwdLastSet)

2. Maximum password age

3. E-mail-Addresses attribute(mail)

 

Then PEN calculates when the password is expired in by the following formula:

Maximum password age - (current day - pwdLastSet)

 

I do not think something wrong with PEN, maybe the password has been changed for that user before you run the report or you changed some settings of PEN.

 

Hi Kirill,

 

Settings are as follows:

 

Enable Password Expiration Notifier - Checked

Send reports to administrators - Checked

List users who accounts or passwords expire in days or less - 14

 

Advanced - Configure:

Include data on expiring accounts in reports - Checked

Ignore users with "Change password at next logon" option enabled - Checked

Ignore users with "Password never expires" option enabled - Checked

Ignore users who do not have email accounts - Checked

Ignore users whose passwords have already expired - Checked

Specify the account that will be used for data collection from the managed domain - Checked

 

This however still does not explain why the list of accounts in the automated e-mail would so wildly differ from the list in the manually generated report.

 

For example, today's automated e-mail listed 3 accounts with expiry in 2, 4, and 4 days respectively.  However a freshly generated manual report lists 3 entirely different accounts with expiry in 11, 12, and 12 days respectively.  None of the accounts in one list are also in the other list.



#5 TechOps

TechOps

    Newbie

  • Members
  • Pip
  • 8 posts

Posted 27 February 2019 - 04:41 PM

Further update - a user who was not previously appearing on the Daily Administrative e-mail, and I had to reset their password yesterday (remote webmail only user).

 

Today, they've showed up on the report with their password supposedly expiring in 4 days.

 

Something is fundamentally broken with this application.



#6 Kirill K

Kirill K

    Advanced Member

  • Administrators
  • PipPipPip
  • 114 posts
  • Gender:Male

Posted 28 February 2019 - 07:41 AM

I am pretty sure something wrong with your end environment, check the 'pwdLastSet' attribute on all domain controllers and ensure that value is the same. 


Best regards,
Forum Engineer
 


#7 TechOps

TechOps

    Newbie

  • Members
  • Pip
  • 8 posts

Posted 28 February 2019 - 05:51 PM

The PwdLastSet value is reporting the same on both domain controllers using the following PowerShell code:

 

$searcher=New-Object DirectoryServices.DirectorySearcher
$searcher.Filter="(&(samaccountname=_username_))"
$results=$searcher.findone()
[datetime]::fromfiletime($results.properties.pwdlastset[0])

 

Value being reported is February 26, 2019 9:37:00 AM

 

This user appeared once more on today's daily e-mail saying the password expires in 3 days.
 



#8 Kirill K

Kirill K

    Advanced Member

  • Administrators
  • PipPipPip
  • 114 posts
  • Gender:Male

Posted 28 February 2019 - 07:07 PM

DirectorySearcher.FindOne Method
Executes the search and returns only the first entry that is found.

Best regards,
Forum Engineer
 


#9 TechOps

TechOps

    Newbie

  • Members
  • Pip
  • 8 posts

Posted 28 February 2019 - 08:16 PM

I ran the PowerShell script by hand on each of the 2 domain controllers.  If you've a preferred method by which to gather the attribute's value, please let me know.



#10 Kirill K

Kirill K

    Advanced Member

  • Administrators
  • PipPipPip
  • 114 posts
  • Gender:Male

Posted 01 March 2019 - 09:48 AM

There are two domain controllers and I do not think it is big deal to check manually each one:

1. RDP > ADUC > User Account properties > Attribute Editor > pwdLastSet value

2. ADUC > connect first DC, then second  > User Account properties > Attribute Editor > pwdLastSet value


Best regards,
Forum Engineer
 


#11 TechOps

TechOps

    Newbie

  • Members
  • Pip
  • 8 posts

Posted 04 March 2019 - 06:25 PM

Both domain controllers show the same value in the Attribute Editor as well.

 

A new example where both DCs show the same value is an account which had it's password changed on Feb. 27, but was listed on e-mails over the weekend and finally this morning with 0 days remaining.



#12 TechOps

TechOps

    Newbie

  • Members
  • Pip
  • 8 posts

Posted 07 March 2019 - 04:47 PM

Another instance - user just showed up on the list this morning, reporting 4 days until password expires.  Check PwdLastSet attribute on both domain controllers through ADUC - 2019-Mar-06 12:21:49 PM MST.






0 user(s) are reading this topic

0 members, guests, anonymous users