• Locked Locked
  • Replies 0 replies
  • Subscribers 61 subscribers
  • Views 6556 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Getting accurate password expiry when Fine-grained password policy in use.

Nick.Dollimount
over 5 years ago

Active Roles doesn't currently take fine-grained password policy into consideration when displaying the password expiry of a user.

As a workaround, you can add the 'msDS-UserPasswordExpiryTimeComputed' attribute to the web interface to replace the current password expiry. Unfortunately, this will only display the date and you won't have the 'in ### days' anymore. To work around this, you can use the following script module.

function onPostGet($Request){
    if ($Request.class -eq "user"){
        if ($Request.IsAttributeRequested("EDSVA-PasswordExpiryDays")){
            $expiryDays = (New-TimeSpan -End (Get-QADUser $Request.get('DistinguishedName') -DontUseDefaultIncludedProperties -IncludedProperties msDS-UserPasswordExpiryTimeComputed | Select-Object @{Name="Expiry";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}}).Expiry -Start (Get-Date)).Days
            $Request.Put("EDSVA-PasswordExpiryDays", "in $expiryDays days")
        }
    }
}

function onGetEffectivePolicy($Request)
{
    if ($Request.class -eq "user"){
        $Request.SetEffectivePolicyInfo("EDSVA-PasswordExpiryDays", $Constants.EDS_EPI_UI_AUTO_GENERATED, $True)
    }

}

Steps:

  1. Create a new virtual attribute 'EDSVA-PasswordExpiryDays'
    1. DirectoryString
    2. Not stored
  2. Reconnect to the MMC.
  3. Perform IISReset so the new virtual attribute is available in the web interface.
  4. Create a new PowerShell script module of Policy type.
  5. Paste in the above script and save the script module.
  6. Create a new Policy object and add in a Script Execution policy, pointing it to the previously created script module.
    1. Link the policy to the top-level Active Directory node to have this apply everywhere in the managed domains.
  7. Log into the web interface as an Active Roles administrator.
    1. View the properties of a user object and customize the form.
    2. Add in the 'msDS-UserPasswordExpiryTimeComputed' attribute as the new Password Expires.
    3. Add in the 'EDSVA-PasswordExpiryDays' and name it Expires.
    4. Remove the existing Password Expires and move the new entries to the proper location in the form.
  8. Save the changes to the form.
  9. Reload the configuration.
  10. Enjoy.