Getting User must change password at next logon with C#
Rajiv Sharma
I've written some code in C# which creates user accounts in Active
Directory.
It was my intention to create a user account and then set the "User
must change password at next logon" account property to true. This is
straightforward enough in code. What is causing me headaches though is
that I want to be able
to query this property on a user account in C# and so far I have no
ideas on how to proceed, can anyone help ?
Thanks in Advance
Rajiv Sharma
Joe Kaplan
the correct syntax to perform a bitwise OR comparison against the
userAccountControl attribute. Here is the link to the documentation that
explains how to do the comparison. The example is for group type, but it
should be straightforward to modify.
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netdir/ad/h
ow_to_specify_comparison_values.asp?frame=true
Cheers,
Joe K.
"Rajiv Sharma" <rajiv....@unitech.net> wrote in message
news:66954675.03010...@posting.google.com...
Joe Richards [MVP]
AD and look for any user objects that have a pwdlastset value of 0.
LDAP Query: (&(objectcategory=person)(objectclass=user)(pwdlastset=0))
--
Joe Richards
www.joeware.net
---
"Rajiv Sharma" <rajiv....@unitech.net> wrote in message
news:66954675.03010...@posting.google.com...
Joe Kaplan
userAccountControl. However, just out of curiousity, do you need to check
the value of "password never expires" before you can assume that
pwdLastSet=0 means "user must change password at next login" or does that
query always work?
Thanks,
Joe K.
"Joe Richards [MVP]" <humore...@hotmail.com> wrote in message
news:eUFrjNetCHA.2492@TK2MSFTNGP11...
Rajiv Sharma
for me.
Interestingly I noticed that when the "User must change password
at next logon" is set on an AD user account that if you query the
PasswordLastChanged property of the DirectoryEntry.NativeObject it
always returns a date of {1/1/1601}. I've pasted this code in below,
but I am fairly certain that it is probably an unsafe approach to take
to solving the problem and the LDAP query you came up with is far
better. What do you think?
Many Thanks again
Rajiv Sharma
public bool UserMustChangePasswordOnNextLogonUNSAFE(string DomainName,
string Username)
{
bool mustchange = false;
SearchResultCollection results = FindUser(DomainName, Username);
if (results != null)
{
DirectoryEntry myDE = results[0].GetDirectoryEntry();
IADsUser userAcct = (IADsUser) myDE.NativeObject;
// Do the spurious date comparison !!!
DateTime adInternalDate = new DateTime(1601, 1, 1);
if (userAcct.PasswordLastChanged == adInternalDate)
{
mustchange = true;
}
}
return mustchange;
}
"Joe Kaplan" <ilearnedthi...@noway.com> wrote in message news:<e91uRyftCHA.2300@TK2MSFTNGP11>...
Joe Kaplan
is just accessing pwdLastSet and converting it to a date object. The value
0 for a LargeInteger format date corresponds to 1 Jan 1601 12:00:00 AM. So
my guess is that the comparison is essentially the same, but it would be
more direct just to read the attribute value.
The ToFileTime and FromFileTime methods on the DateTime stucture in .NET can
be used to process these values.
I hope that helps. Someone please correct me if I got this wrong.
Joe K.
Joe Richards [MVP]
1/1/1601 is the value zero in the 64 bit int date style.
Joe Richards [MVP]
If pwdlastset is 0 it means someone has checked that box for sure.
--
Joe Richards
www.joeware.net
---
"Joe Kaplan" <ilearnedthi...@noway.com> wrote in message
news:e91uRyftCHA.2300@TK2MSFTNGP11...
Rajiv Sharma
Rajiv
"Joe Richards [MVP]" <humore...@hotmail.com> wrote in message news:<ezI#QKrtCHA.2304@TK2MSFTNGP12>...