Pwdlastset attribute not updating

6854933580_2c8b688306_z

In a perfectly natural comparative leap, I remembered the moldy bread incident as I began pondering a post about using LDAP queries for account maintenance.

It is as important to keep your directory in order as it is your pantry in order to avoid nastiness.

Because we're interested in a particular cutoff point, let's define our date value of interest as April 5, 2010.

We want to find any accounts with a last Logon value of than that date (i.e., a stale, moldy bread account).

Attributes like user Account Control store properties in the form of bitwise flags, the state of a particular flag (in the sequence of bits) indicates the state of that particular property.

First, we need to select some properties that we want to query.

Using the last example as a reference, our query becomes: (&(object Category=person)(object Class=user)(last Logon Timestamp<=129149208000000000)) pwd Last Set We can look for accounts that haven't had the password changed since April 5, 2010 using the following query. A value of 0 in this attribute generally means the account is configured to require a password change at next logon (if the account is also set to not permit the account to never expire).

As a result, we have to use the NOT operator: (&(object Category=person)(object Class=user)(&(pwd Last Set<=129149208000000000)(!

pwdlastset attribute not updating-64pwdlastset attribute not updating-9pwdlastset attribute not updating-13

This is a good practice for managing vendor accounts where access may be needed on a regular basis (e.g.

Below are five commonly referenced values when managing accounts, taken from the MSDN library document referenced earlier.

  Note that in the MSDN document, the attribute-id is 1.2.840.113556.1.4.8; this will be important in a moment.

Because we don't have any other filtering taking place, this will show all user accounts, including disabled accounts, or accounts in an expired state.

last Logon Timestamp The query here is similar to above, but is based on the replicated version of the value.

Perhaps the easiest is Power Shell though: PS> [datetime]:: From File Time("XXXXXXXXXXXXXXXXXX") With those two commands, you can freely convert back and forth between types.

You must have an account to comment. Please register or login here!