ad-password-protection
ad-password-protection copied to clipboard
lithnet
Length-based Password Aging
Hey, it's me again. As I'm very fascinated of this project, I got an idea for the length-based complexity rules. I thought about an option, where you could set different password ages. (count of days, after which the password has to be changed)
That could be a great opportunity to allow people to still use smaller passwords, but also restricting them by letting their passwords expire faster.
To make this real, maybe the attribute "PwdLastSet" could be used, for example to be set a month before the actual change date. In my understanding, the password would then expire a month earlier.
$ReplaceHashTable = New-Object hashtable
$date = (Get-Date "16.05.2020").ToFileTime() #Windows NT Time Format
$ReplaceHashTable.Add("PwdLastSet", $date)
Set-ADUser -Identity Dave -Replace $ReplaceHashTable
I tried this powershell commands, but it seems, that this attribute can be changed only to 0 or -1 from an admin. 0 => Password expires now -1 => Password expires never
A system user may be able to change the attribute. Maybe the service of LPP is also able to do this.
I really like this concept. I would be a great addition to the tool as it goes with our ethos of allowing an organization to choose what a good password means to them.
You're right in that via LDAP you can only set pwdLastSet to 0/-1. All other values throw an error. There's no way I've found to adjust this value, no matter who you are. It seems to be set at a very low level, most likely internally in the directory service itself. For all that it is LDAP on the surface, there is a lot of hidden stuff going on underneath.
We'll have to think if there is another way to achieve this without relying on that attribute
I've tried out some possible solutions now.
-
Changing the "pwdLastSet" attribute doesn't work, as already mentioned. The only way to make something up of it would be by turning the attribute to 0.
-
With net user < username > [/domain] you can see the Expiration date.
PS C:\Users\Administrator> net user dave /domain
User name dave
Full Name David --------
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 16/06/2020 08:18:48
Password expires 16/09/2020 08:18:48
Password changeable 16/06/2020 08:18:48
Password required Yes
User may change password Yes
...
But there is no way to change it...
- I also tried to set the pwexpirationdate with WMIC, but there I only got the possibility to turn on or off, if a password can expire.
WMIC USERACCOUNT WHERE Name='administrator' SET PasswordExpires=FALSE
As I didn't find any solution on changing the "Password expires" (2) attribute, in Powershell I think the only solution would be a list or database within LPP. Then the "pwdLastSet" attribute or the default option on the useraccounts ("User must change password at next logon") needs to be changed by the LPP software or service. Maybe another programming language could also change this attribute of the "net user"...
Sooo,... I am not really sure what happens with this "issue" now.
Is it a feature request or will it be closed? I would say it's a feature request, but we have to find a way to achieve the goal.
@ToxicDave it will stay open as a feature request. I'm working on a new product at the moment, and hope to return to v2 of LPP soon. I'll look at options then.
Why not just use Fine Grain Password Policies? Isn't this kind of what you are doing already with having different requirements for different lengths of passwords? https://www.lepide.com/blog/fine-grained-password-policy-best-practices/#:~:text=AD%20supports%20one%20set%20of,a%20separate%20domain%20for%20them.
Create the criteria in Lithnet, have Lithnet create the appropriate FGPPs and corresponding AD groups. Then when a user submits their password you would remove them from all of the FGPP shadow groups and add them to the appropriate one for the password they put in. Submit their password to AD after that and BOOM variable length password expiration.
