Is there anyway in bginfo to show the # of days before A.D. User password needs to be changed?
E.g you must change your password in 10 days.
A.D password are to be reset every 2 month or 60 days.
Asked
Active
Viewed 2,597 times
3
PersianGulf
- 596
- 6
- 21
user353485
- 31
- 1
- 2
4 Answers
3
BGInfo supports the following for defining custom variables:
First thing that comes to mind would be to define a logon script for the user first. Something that finds the expiration date and then writes it to a file on the local computer:
$Searcher = New-Object System.DirectoryServices.DirectorySearcher
$Searcher.Filter = "(sAMAccountName=$($Env:USERNAME))"
$Searcher.SearchRoot = "LDAP://$Env:USERDNSDOMAIN"
$Searcher.SearchScope = 'Subtree'
$ADAccount = $Searcher.FindAll()
$PwdLastSet = [DateTime]::FromFileTime($ADAccount.Properties.pwdlastset[0])
$PwdAge = (New-TimeSpan $PwdLastSet (Get-Date)).TotalDays
$NextPwdChange = 60 - $PwdAge
[Math]::Round($NextPwdChange, 0) | Out-File (Join-Path $Env:USERPROFILE 'pwdage.txt')
That will figure out the last time the user's password was changed, calculate how old that is and write the difference from 60 days into a text file in the user's profile folder. So if I changed my password 30 days ago, it would write "30" into the text file because I have 30 days to go until my next password change.
Then you could have BGInfo consume the contents of that text file.
Ryan Ries
- 55,011
- 9
- 138
- 197
-
I got an error: error line 1 heading 1? – user353485 May 19 '16 at 21:01
-
Wouldn't [msDS-UserPasswordExpiryTimeComputed](https://msdn.microsoft.com/en-us/library/cc223410.aspx) be a better attribute to query than pwdLastSet? It accounts for any fine-grained password policies that might be applied and gives you a simple end date, no math necessary. – Ryan Bolger May 29 '16 at 07:40
1
Thanks for the great PowerShell Script. One thing I had to change (encoding from txt from utf to ascii) because BGInfo cannot display UTF TXT-Files.
$Searcher = New-Object System.DirectoryServices.DirectorySearcher
$Searcher.Filter = "(sAMAccountName=$($Env:USERNAME))"
$Searcher.SearchRoot = "LDAP://$Env:USERDNSDOMAIN"
$Searcher.SearchScope = 'Subtree'
$ADAccount = $Searcher.FindAll()
$PwdLastSet = [DateTime]::FromFileTime($ADAccount.Properties.pwdlastset[0])
$PwdAge = (New-TimeSpan $PwdLastSet (Get-Date)).TotalDays
$NextPwdChange = 60 - $PwdAge
[Math]::Round($NextPwdChange, 0) | Out-File -encoding {ascii} (Join-Path $Env:USERPROFILE 'pwdage.txt' )
Jan
- 11
- 1
0
I just wanted to throw out a slight modification of the suggested Powershell script based on the msDS-UserPasswordExpiryTimeComputed property. It has the benefit of automatically giving you the exact date/time when the given user's password will expire even taking into account things like fine-grained password policies if you're using them. So there's no need to hard code any known values for your existing password policy and if you ever change your policy, you don't need to update the script.
$Searcher = [adsisearcher]"(&(sAMAccountName=$($Env:USERNAME))(sAMAccountType=805306368))"
$Searcher.PropertiesToLoad.Add("msDS-UserPasswordExpiryTimeComputed")
$ADAccount = $Searcher.FindOne()
$PwdExp = [DateTime]::FromFileTime($me.Properties.'msds-userpasswordexpirytimecomputed'[0])
$NextPwdChange = [Math]::Round(($PwdExp - (Get-Date)).TotalDays)
$NextPwdChange | Out-File -encoding {ascii} (Join-Path $Env:USERPROFILE 'pwdage.txt' )
Ryan Bolger
- 16,472
- 3
- 40
- 59
0
Your idea is good but script runs into error.
I also made a new script which displays the expiration date in format DD:MM:YYYY HH:MM. You only have to modify the maximum password age-value. If you have users who do not logoff at the end of the day BGInfo keeps displaying the same days until password expiration which results in a wrong value. We implemented the following script:
$Searcher = New-Object System.DirectoryServices.DirectorySearcher
$Searcher.Filter = "(sAMAccountName=$($Env:USERNAME))"
$Searcher.SearchRoot = "LDAP://$Env:USERDNSDOMAIN"
$Searcher.SearchScope = 'Subtree'
$ADAccount = $Searcher.FindAll()
$PwdLastSet = [datetime]::FromFileTime($ADAccount.Properties.pwdlastset[0])
$PwdExpire =$PwdLastSet.AddDays(60)
$PwdExpire = $PwdExpire.ToShortDateString() + " " + $PwdExpire.ToShortTimeString()
$PwdAge = (New-TimeSpan $PwdLastSet (Get-Date))
$NextPwdChange = $PwdAge
$PwdExpire | Out-File -encoding {ascii} (Join-Path $Env:USERPROFILE 'pwdage.txt' )
It is also important that you create 2 policies (1 for BGInfo and 1 for PS-Script) because otherwise PS-Script takes too long to create the .txt-File and BGInfo can not display the value on desktop. Moreover set the setting: Run PS-Scripts first in Policy. This worked for us.
Jan
- 1