Jorge's Quest For Knowledge!

All You Need To Know About Identity And Security On-Premises And In The Cloud. It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2011-02-13) When Will The Password Expire For An AD User Account And What Happens Then?

Posted by Jorge on 2011-02-13


A few weeks ago I was discussing an issue with a colleague he experienced at his customer. The issue was about password expiration and I thought it was also worth to post the technical parts of the discussion. As you may know, Windows itself, will warn you during logon (Windows XP) or right after logon in the notification area (Windows Vista and Windows 7).

If you log on interactively while your password is already expired, the system will force you to change the password before allowing you to continue to logon.

However, what would happen and what is the impact if:

  1. you logon interactively while your password is still valid (i.e. not expired), AND
  2. you are warned by Windows your password will expire within one day (optional if configured!), AND
  3. you ignore that and do not change the password (depends on [2]), AND
  4. your password expires a few hours after logging on (e.g. 3 hours) and before logging off again.

The universal IT answer to that is: "it depends!". Seriously, it really depends on the authentication protocol being used when accessing a resource, while your password has expired previously.

One of the users at my colleague’s customer experienced the following, after the previous 4 steps:

  • Drive mappings still worked;
  • Outlook still worked;
  • Access to the internet did not work, and the user was prompted to provide credentials again.

After some research, the first two (Microsoft systems) used Kerberos as the authentication protocol and the last one (non-Microsoft system) used NTLM as the authentication protocol. Detailed information about the Kerberos authentication protocol can be found here and here and here. Detailed information about the NTLM authentication protocol can be found here and here.

A very very very high-level overview of both authentication mechanisms can also be read here in this post I wrote once.

To make it more easy to understand, I will provide some high-level information (but with more depth than the previous post) when using either authentication protocol to access a resource. Windows will always try to use Kerberos first and if that is not possible it will fallback to NTLM.

The version of accessing a resource with the Kerberos authentication protocol, can be found here.

In short, when resources are accessed through the Kerberos authentication protocol…. If your password expires after you have logged on, you will be able to access resources through the Kerberos authentication protocol for as long as the TGT renewal period has not ended. As soon as the TGT renewal period has ended, you will be prompted to provide credentials, and depending on the resource (e.g. Exchange) you may get the possibility to change your password on the fly.

The version of accessing a resource with the NTLM authentication protocol, can be found here.

In short, when resources are accessed through the NTLM authentication protocol…. If your password expires after you have logged on, you will be NOT able to access resources through the NTLM authentication protocol. As soon as the password expires, you will be prompted to provide credentials, and depending on the resource (e.g. Exchange) you may get the possibility to change your password on the fly.

So, the moral of the story is: "change the password as soon as you are warned it is going to expire"!

Another solution would be to scan for expiring passwords and notify the user through e-mail to change his/her password and if needed in addition force the user to change the password at next logon earlier than the password expires. This can be accomplished quite easily with the correct tools, and if you are using FIM 2010, it is also quite easy to accomplish. Watch out for an upcoming blog post from me on how to do that using FIM 2010!

If you want to do this by using a custom made script (e.g. VBScript, PowerShell), then the complexity of logic in the script depends on whether or not you are using Password Settings Objects (PSO). For more information about PSOs, click here and here.

Below, I will explain the logic of what the script should do according to my opinion. A free unsupported tool that can do just the mailing part can be found here.

Before continuing, lets define the password lifecycle timeline as shown in the picture below.

image

[‘A’] When NOT using PSOs, just the password settings in the default domain GPO
(Also see a similar article about this on MSDN:
How Long Until My Password Expires?)

  • Retrieve a list of user accounts that match the following criteria:
    • User accounts, AND –> (objectCategory=person)(objectClass=user)
    • Enabled, AND –> (!(userAccountControl:1.2.840.113556.1.4.803:=2))
    • Password will expire, AND –> (!(userAccountControl:1.2.840.113556.1.4.803:=65536))
    • Mailbox/mail-enabled –> (mail=*)
  • Read the maximum password age "maxPwdAge" from the domain NC. If set to 0 (zero) then stop processing as then passwords will not expire for any AD user account;
  • Define a warn period in days which is the number of days before the password expiration date;
  • For each AD user account in the list:
    • Retrieve the "pwdLastSet" attribute;
    • Calculate the password expiration date by adding the maximum password age to the password last set date;
    • Calculate the warn period starting date by extracting the warn period from the password expiration date;
    • Based upon the calculated information, perform the following action(s):
      • [1]
        • Send an e-mail if TODAY (or NOW) falls after the warn period starting date AND before the password expiration date
      • OR
      • [2]
        • Send an e-mail if TODAY (or NOW) falls after the warn period starting date AND before one day before the password expiration date
          AND
        • Configure the AD user account with ‘change password at next logon’ if TODAY (or NOW) falls within one day before the password expiration date
      • OR
      • [3]
        • Configure the AD user account with ‘change password at next logon’ if TODAY (or NOW) falls within one day before the password expiration date

[‘B’] When using PSOs incl. the password settings in the default domain GPO

  • Retrieve a list of user accounts that match the following criteria:
    • User accounts, AND –> (objectCategory=person)(objectClass=user)
    • Enabled, AND –> (!(userAccountControl:1.2.840.113556.1.4.803:=2))
    • Password will expire, AND –> (!(userAccountControl:1.2.840.113556.1.4.803:=65536))
    • Mailbox/mail-enabled –> (mail=*)
  • Define a warn period in days which is the number of days before the password expiration date;
  • For each AD user account in the list:
    • Retrieve the value of the "pwdLastSet" attribute;
    • Retrieve the value of the "msDS-ResultantPSO" attribute (constructed attribute);
    • Logic around retrieved from "msDS-ResultantPSO" attribute:
      • If no value (<NOT SET>) exists in the attribute, read the maximum password age "maxPwdAge" from the domain NC. If set to 0 (zero) then stop processing as then passwords will not expire for this AD user account;
      • If a value (distinguished Name of PSO) exists in the attribute, read the maximum password age "msDS-MaximumPasswordAge" from the PSO object. If set to 0 (zero) then stop processing as then passwords will not expire for this AD user account;
    • Calculate the password expiration date by adding the maximum password age to the password last set date;
    • Calculate the warn period starting date by extracting the warn period from the password expiration date;
    • Based upon the calculated information, perform the following action(s):
      • [1]
        • Send an e-mail if TODAY (or NOW) falls after the warn period starting date AND before the password expiration date
      • OR
      • [2]
        • Send an e-mail if TODAY (or NOW) falls after the warn period starting date AND before one day before the password expiration date
          AND
        • Configure the AD user account with ‘change password at next logon’ if TODAY (or NOW) falls within one day before the password expiration date
      • OR
      • [3]
        • Configure the AD user account with ‘change password at next logon’ if TODAY (or NOW) falls within one day before the password expiration date

As you can see, script [‘B’] is a lot more complex because of the usage of PSOs. It becomes more complex because you cannot query for a list of AD user accounts and retrieve the resultant PSO, but rather you need to query for a list of users and then for each user individually query for the resultant PSO. Either way, as soon as you know which resultant PSO is being used by that AD user account, you need to query the resultant PSO for the maximum password age. Because multiple accounts may use the same resultant PSO, that same PSO will be queried multiple times for the same information. You could enhance this by querying all PSOs and retrieve the maximum password age and "cache" it somewhere and the use the cache to retrieve the maximum password age to calculate the password expiration date.

Whatever script you use ([‘A’] or [‘B’]), you can schedule as task that executes the script at midnight. The configuration of the AD user account with ‘change password at next logon’ should only occur for those AD user accounts for which the password will expire in the next 23 hours. This way, as soon as the user logs on, he/she will be forced immediately to change it in the morning. This could lower the impact when a user is able to access resources through the Kerberos authN protocol, but not through the NTLM authN protocol, when the password expires after the user logs on and ignores the warning message which states the user should change the password because it will expire soon.

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

5 Responses to “(2011-02-13) When Will The Password Expire For An AD User Account And What Happens Then?”

  1. […] (2011-02-13) When Will The Password Expire For An AD User Account And What Happens Then? […]

  2. […] (2011-02-13) When Will The Password Expire For An AD User Account And What Happens Then? […]

  3. […] (2011-02-13) When Will The Password Expire For An AD User Account And What Happens Then? […]

  4. […] Also see: (2011-02-13) When Will The Password Expire For An AD User Account And What Happens Then? […]

  5. […] Also see: (2011-02-13) When Will The Password Expire For An AD User Account And What Happens Then? […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: