Negative PSO attribute values
When you use ADSI Edit to create Password Settings objects (PSOs), enter the values of the four time-related PSO attributes (msDS-MaximumPasswordAge, msDS-MinimumPasswordAge, msDS-LockoutObservationWindow, and msDS-LockoutDuration) in d:hh:mm:ss format.
When you use the ldifde command to create PSOs, you must enter the values of these attributes in I8 format, which stores time in the intervals of -100 nanoseconds. (Schema: attributeSyntax = 2.5.5.16 (I8).) Windows Server 2003 Default Domain Policy employs this exact time unit for its corresponding time-related attributes. To set these attributes to appropriate values, convert time values in minutes, hours, or days to time values in the intervals of 100 nanoseconds, and then precede the resultant values with a negative sign.
You can use the following conversion guide and multiplication factors to obtain the corresponding I8 values.
Time unit | Multiplication factor |
m minutes | -60*(10^7) = - 600000000 |
h hours | -60*60* (10^7) = -36000000000 |
d days | -24*60*60*(10^7) = -864000000000 |
For example, if you want to set the msDS-MaximumPasswordAge to 10 days, multiply 10 by -864000000000 and apply the resulting I8 value to the msDS-MaximumPasswordAge attribute (in this example, -8640000000000). If you want to set msDS-LockoutDuration to 30 minutes, multiply 30 by -600000000 to get the corresponding I8 value (in this example, -18000000000).
PSO attributes referential integrity
Consider the following information when you create new PSOs:
-
The value of msDS-MinimumPasswordAge must be smaller than or equal to the value of msDS-MaximumPasswordAge.
-
The value of msDS-LockoutObservationWindow cannot be smaller than the value of msDS-LockoutDuration.
-
The value of msDS-MaximumPasswordAge cannot be set to zero.