Reading User Account Password Attributes

Microsoft® Windows® 2000 Scripting Guide

A number of password attributes affect how users are able to manage their passwords. Reading password attributes of user accounts is useful for identifying potential security holes. For example, a script can help you determine which users have not reset their passwords in the past 30 days.

Note

• You can make the regular changing of passwords a domain-wide requirement by configuring a password policy setting in a GPO linked to the domain. Domain-level password attributes apply to all user accounts in the domain.

Password attributes in each user account object appear in Table 7.5.

Table 7.5 Password Attributes in Each User Account

Password attributes that are part of each Active Directory user account object can be viewed and, in some cases, configured by using scripts. Table 7.5 shows password attributes contained in each Active Directory user account object.

All password attributes appearing in Table 7.5 are stored in the userAccountControl attribute of a user object except for the pwdLastSet attribute. The userAccountControl attribute is a 4-byte (32-bit) data structure that contains flags for configuring other user account settings, such as the flag that controls whether a user account is enabled or disabled.

The userAccountControl is a type of integer wherein each bit in its value represents a unique setting. This type of integer is called a bit field. Because each bit in a bit field represents a different setting, simply examining the integers value as a whole number is of little use. You must examine the individual bit that corresponds to the setting you are interested in reading.

To help you identify which bit to check, programming libraries such as ADSI often include predefined constants that map the bits in a bit field to friendly names. The constants serve as bit masks, each of which is used to test whether certain bits are set in the bit field.

The set of constants that represent bit masks for properties of the userAccountControl attribute is included in the ADS_USER_FLAG_ENUM enumeration. An enumeration in this context is simply one or more constants grouped together according to their usage. The specific constant that represents a user accounts Password never expires option is ADS_UF_DONT_EXPIRE_PASSWD, which is defined as 0x10000, or &h10000 in VBScript.

For example, to determine whether a user account expires, you examine the state (1 or 0) of the ADS_UF_DONT_EXPIRE_PASSWD bit in the userAccountControl attribute. To accomplish this task, you must first read the userAccountControl attribute from a user account object. This attribute contains this and other settings. Then, you use the bitwise AND operator along with the settings bit mask to extract the corresponding bit values from the bit field.

Most of the password-related flags in the userAccountControl attribute can be displayed by reading the integer value of the attribute returned by the LDAP provider and IADs. Other password flags require alternative methods. Table 7.6 lists password flags in the userAccountControl attribute and the attributes that contain values corresponding to these flags.

Table 7.6 Flags in userAccountControl and Attributes to Read Using ADSI

The pwdLastSet attribute is a large integer and does not appear in an easily readable format when IADs is used. Therefore, use the IADsUser interface (accessible from the LDAP provider) to display this value.