Export (0) Print
Expand All
1 out of 3 rated this helpful - Rate this topic

Reading User Account Password Attributes

Microsoft® Windows® 2000 Scripting Guide

A number of password attributes affect how users are able to manage their passwords. Reading password attributes of user accounts is useful for identifying potential security holes. For example, a script can help you determine which users have not reset their passwords in the past 30 days.

Note

  • You can make the regular changing of passwords a domain-wide requirement by configuring a password policy setting in a GPO linked to the domain. Domain-level password attributes apply to all user accounts in the domain.

Password attributes in each user account object appear in Table 7.5.

Table 7.5 Password Attributes in Each User Account

Attribute Name

User Account Setting

Data Type

pwdLastSet

Password Last Changed

Large Integer/Date Time

userAccountControl

Password Required

Integer: ADS_UF_PASSWD_NOTREQD flag

Value: 0x0020

userAccountControl

Cannot Change Password

Integer: ADS_UF_PASSWD_CANT_CHANGE flag

Value: 0x0040

userAccountControl

Password Never Expires

Integer: ADS_UF_DONT_EXPIRE_PASSWD flag

Value: 0x10000

userAccountControl

Store password using reversible encryption

Integer: ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED flag

Value: 0x0080

userAccountControl

Password Expired

Integer: ADS_UF_PASSWORD_EXPIRED flag

Value: 0x80000

Password attributes that are part of each Active Directory user account object can be viewed and, in some cases, configured by using scripts. Table 7.5 shows password attributes contained in each Active Directory user account object.

All password attributes appearing in Table 7.5 are stored in the userAccountControl attribute of a user object except for the pwdLastSet attribute. The userAccountControl attribute is a 4-byte (32-bit) data structure that contains flags for configuring other user account settings, such as the flag that controls whether a user account is enabled or disabled.

The userAccountControl is a type of integer wherein each bit in its value represents a unique setting. This type of integer is called a bit field. Because each bit in a bit field represents a different setting, simply examining the integers value as a whole number is of little use. You must examine the individual bit that corresponds to the setting you are interested in reading.

To help you identify which bit to check, programming libraries such as ADSI often include predefined constants that map the bits in a bit field to friendly names. The constants serve as bit masks, each of which is used to test whether certain bits are set in the bit field.

The set of constants that represent bit masks for properties of the userAccountControl attribute is included in the ADS_USER_FLAG_ENUM enumeration. An enumeration in this context is simply one or more constants grouped together according to their usage. The specific constant that represents a user accounts Password never expires option is ADS_UF_DONT_EXPIRE_PASSWD, which is defined as 0x10000, or &h10000 in VBScript.

For example, to determine whether a user account expires, you examine the state (1 or 0) of the ADS_UF_DONT_EXPIRE_PASSWD bit in the userAccountControl attribute. To accomplish this task, you must first read the userAccountControl attribute from a user account object. This attribute contains this and other settings. Then, you use the bitwise AND operator along with the settings bit mask to extract the corresponding bit values from the bit field.

Values of the Flags in the userAccountControl Attribute

Most of the password-related flags in the userAccountControl attribute can be displayed by reading the integer value of the attribute returned by the LDAP provider and IADs. Other password flags require alternative methods. Table 7.6 lists password flags in the userAccountControl attribute and the attributes that contain values corresponding to these flags.

Table 7.6 Flags in userAccountControl and Attributes to Read Using ADSI

Setting

Flag

Attribute to Read

Password Required

ADS_UF_PASSWD_NOTREQD

userAccountControl

Password Never Expires

ADS_UF_DONT_EXPIRE_PASSWD

userAccountControl

Store password using reversible encryption

ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED

userAccountControl

The password has expired

ADS_UF_PASSWORD_EXPIRED

userFlags

User cannot change password

ADS_UF_PASSWD_CANT_CHANGE

nTSecurityDescriptor

The pwdLastSet attribute is a large integer and does not appear in an easily readable format when IADs is used. Therefore, use the IADsUser interface (accessible from the LDAP provider) to display this value.

Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft. All rights reserved.