Active Roles doesn't currently take fine-grained password policy into consideration when displaying the password expiry of a user.
As a workaround, you can add the 'msDS-UserPasswordExpiryTimeComputed' attribute to the web interface to replace the current password expiry. Unfortunately, this will only display the date and you won't have the 'in ### days' anymore. To work around this, you can use the following script module.
function onPostGet($Request){ if ($Request.class -eq "user"){ if ($Request.IsAttributeRequested("EDSVA-PasswordExpiryDays")){ $expiryDays = (New-TimeSpan -End (Get-QADUser $Request.get('DistinguishedName') -DontUseDefaultIncludedProperties -IncludedProperties msDS-UserPasswordExpiryTimeComputed | Select-Object @{Name="Expiry";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}}).Expiry -Start (Get-Date)).Days $Request.Put("EDSVA-PasswordExpiryDays", "in $expiryDays days") } } } function onGetEffectivePolicy($Request) { if ($Request.class -eq "user"){ $Request.SetEffectivePolicyInfo("EDSVA-PasswordExpiryDays", $Constants.EDS_EPI_UI_AUTO_GENERATED, $True) } }
Steps:
- Create a new virtual attribute 'EDSVA-PasswordExpiryDays'
- DirectoryString
- Not stored
- Reconnect to the MMC.
- Perform IISReset so the new virtual attribute is available in the web interface.
- Create a new PowerShell script module of Policy type.
- Paste in the above script and save the script module.
- Create a new Policy object and add in a Script Execution policy, pointing it to the previously created script module.
- Link the policy to the top-level Active Directory node to have this apply everywhere in the managed domains.
- Log into the web interface as an Active Roles administrator.
- View the properties of a user object and customize the form.
- Add in the 'msDS-UserPasswordExpiryTimeComputed' attribute as the new Password Expires.
- Add in the 'EDSVA-PasswordExpiryDays' and name it Expires.
- Remove the existing Password Expires and move the new entries to the proper location in the form.
- Save the changes to the form.
- Reload the configuration.
- Enjoy.