Password expiration notification problem
Hi everybody,
I'm trying to configure a password expiration notification self service rule, but Cayosoft Administrator thinks every user has a PwdExpires value which is pwdlastset + 3 days.
For example if pwdlastset is february 4, Cayosoft will send a notification saying password will expire on february 7. However my password expiration policy is 180 days, it should be august 3.
What's the problem, and how can I overcome it ?
-
Hi Christian,
To troubleshoot this rule can you please run this PowerShell script and send us the result?
get-aduser -Properties * -Identity <samAccountName> -Server <DCName> | ConvertTo-Json -Depth 3 | Out-File c:\temp\1.txt
Please change <samAccountName> with the problem user samAccountName.To get the DC Name in Admin Console navigate to Home > Configuration > Connected Systems Extensions > Active Directory and copy it from the Managed domains table next to the default domain:
Tatiana -
Hi Christian,
I should ask you to reply to the thread on the Cayosoft Admin community page. Otherwise, our replies are not posted on the community.
The script I sent you before doesn't request the required attributes. Can you please run the new script below and send us the output file. Don't forget to replace user samAccountName and DC Name:
get-aduser -Properties PasswordExpired,PasswordNeverExpires,"msDS-UserPasswordExpiryTimeComputed" -Identity <samAccountName> -Server <DCName> | ConvertTo-Json -Depth 3 | Out-File c:\temp\1.txt
Also, can you check your AD and Exchange schema version by the PowerShell script below?
You need the PowerShell module for Active Directory on your system. It is available on your domain controllers or on the machine where Cayosoft Administrator is running.
The version information is read directly from Active Directory, you don’t need an elevated prompt to run it.Import-Module ActiveDirectory $SchemaVersions = @() $SchemaPartition = (Get-ADRootDSE).NamingContexts | ? { $_.SubString(0, 9).ToLower() -eq 'cn=schema' } $SchemaVersionAD = (Get-ADObject $SchemaPartition -Property objectVersion).objectVersion $SchemaVersions += @{'Active Directory' = $SchemaVersionAD} $SchemaPathExchange = "CN=ms-Exch-Schema-Version-Pt,$SchemaPartition" If (Test-Path "AD:$SchemaPathExchange") { $SchemaVersionExchange = (Get-ADObject $SchemaPathExchange -Property rangeUpper).rangeUpper } Else { $SchemaVersionExchange = 0 } $SchemaVersions += @{'Exchange' = $SchemaVersionExchange} Write-Output $SchemaVersionsTatiana
-
Hi Tatiana,
here's the requested outpout :
"PropertyCount": 14,
"msDS-UserPasswordExpiryTimeComputed": 132571888357602997,
"ObjectGUID": "6ad401dc-6762-4ec6-8a71-f3c233bbe08a",
"PasswordExpired": true,
"PasswordNeverExpires": false,
"PwdLastSet": 132569296357602997132569296357602997 | get-date --> thursday february 4 0421 16:27:15
132571888357602997 | get-date --> sunday february 7 0421 16:27:15
3 days ! So wtf ? I dug a little, and find out there was a fine-grained password policy applied to this user (password expire after 3 days) ! So everything works as expected.
Thank you for your help, best regards.
Please sign in to leave a comment.
Comments
4 comments