Notification

Icon
Error

Password last set

Posted: Monday, May 21, 2012 11:45:06 PM(UTC)
Scott M

Scott M

Member Original PosterPosts: 8
1
Like
Looking for help with a custom action that tell me when the user last set their password or how close they are to expiring. How cool would that be?

Scott
Options
dteague
#1dteague Member Posts: 79  
posted: 5/22/2012 10:34:23 PM(UTC)
If you search, you should find this code on here already, and you put it under User Actions as... {actionpath}acctstat.vbs "{cn}"

Code:
If WScript.Arguments.Count = 1 Then
struser = WScript.Arguments(0)
Set objUser = GetObject("LDAP://" & struser)
Const ADS_UF_DONT_EXPIRE_PASSWD = &h10000
Const ADS_ACETYPE_ACCESS_DENIED_OBJECT = &H6
Const CHANGE_PASSWORD_GUID = "{ab721a53-1e2f-11d0-9819-00aa0040529b}"
Set objSD = objUser.Get("nTSecurityDescriptor")
Set objDACL = objSD.DiscretionaryAcl
Set objUserLDAP = GetObject("LDAP://" & struser)
intCurrentValue = objUserLDAP.Get("userAccountControl")
strSAMAccountName = objUser.Get("sAMAccountName")
strCN = objUser.Get("cn")
Set objNet = CreateObject("WScript.NetWork")
dtmValue = objUserLDAP.PasswordLastChanged
intTimeInterval = int(now - dtmValue)
Set objDomainNT = GetObject("WinNT://" & objNet.UserDomain)
intMaxPwdAge = objDomainNT.Get("MaxPasswordAge")/86400
intMinPwdAge = objDomainNT.Get("MinPasswordAge")/86400

For Each Ace In objDACL
If ((Ace.AceType = ADS_ACETYPE_ACCESS_DENIED_OBJECT) And _
(LCase(Ace.ObjectType) = CHANGE_PASSWORD_GUID)) Then
blnEnabled = True
End If
Next


'Clear strMsg

strMsg = ""


'Account Disabled?

If objuser.AccountDisabled = True Then
MsgBox "This account is Disabled.",0,strCN & " (" & strSAMAccountName & ")"
Else


'Account Locked?

If objuser.IsAccountLocked = True Then
strMsg = strMsg & "This account is Enabled but Locked." & VbCrLf & VbCrLf
Else
strMsg = strMsg & "This account is Enabled and Not Locked." & VbCrLf & VbCrLf
End If


'Password Expires?

If intCurrentValue and ADS_UF_DONT_EXPIRE_PASSWD Then
strMsg = strMsg & "The Password Never Expires for this account due to account settings." & VbCrLf & _
" Password Changed: " & DateValue(dtmValue) & VBTab & int(now - dtmvalue) & " days ago" & VbCrLf & VbCrLf
Else

If intMaxPwdAge < 0 Then
strMsg = strMsg & "The Maximum Password Age is set to 0 in the domain. Therefore, the password does not expire." & VbCrLf & VbCrLf
Else


'Password Expired already?

If intTimeInterval >= intMaxPwdAge Then
strMsg = strMsg & "The password has Expired." & VbCrLf & _
" Password Changed: " & DateValue(dtmValue) & VBTab & int(now - dtmvalue) & " days ago" & VbCrLf & _
" Password Expires: " & DateValue(dtmValue + intMaxPwdAge) & VBTab & int(now - (dtmValue + intMaxPwdAge)) & " days ago" & VbCrLf & _
" (Maximum password age: " & intMaxPwdAge & " days)" & VbCrLf & VbCrLf
Else
strMsg = strMsg & "The password has Not Expired." & VbCrLf & _
" Password Changed: " & DateValue(dtmValue) & VBTab & int(now - dtmvalue) & " days ago" & VbCrLf & _
" Password Expires: " & DateValue(dtmValue + intMaxPwdAge) & VBTab & int((dtmValue + intMaxPwdAge) - now + 1) & " days from today" & VbCrLf & _
" (Maximum password age: " & intMaxPwdAge & " days)" & VbCrLf & VbCrLf
End If
End If
End If


'User can Change the Password?

If blnEnabled Then
strMsg = strMsg & strCN & " cannot change the password due to account settings."
Else
If intTimeInterval >= intMinPwdAge Then
strMsg = strMsg & strCN & " can change the password."
Else
strMsg = strMsg & strCN & " can change the password after " & DateValue(dtmValue) + intMinPwdAge & "." & VbCrLf & _
" (Minimum password age: "& intMinPwdAge & " days)"
End If
End If

'Display the Info

MsgBox strMsg,0,strCN & " (" & strSAMAccountName & ")"

End If

Else
WScript.Echo "Error"

End If

Set objNet = Nothing
Set objUser = Nothing
Set objSD = Nothing
Set objDACL = Nothing
Set objUserLDAP = Nothing
Set objDomainNT = Nothing
dteague attached the following image(s):
CHQAUDT078-02.gif
1
chads
#2chads Member Posts: 89  
posted: 7/2/2012 5:11:10 PM(UTC)
Always enjoy finding these. such a cool action. Now only if instead of popping out a window separate from the lansweeper webpage and embedding the window result below the user would be awesome. but that would require a ton of work.
1
Technut27
#3Technut27 Member Posts: 79  
posted: 12/18/2014 9:34:26 PM(UTC)
I came across this a long time ago and finally had a need to do something like this. It sort of works for me, if I us it on my own user page it returns the information perfectly like in the screen shot. But if I try it on another user it returns an error.

Error: The directory property cannot be found in the cache.
Code: 8000500D
Source: Active Directory

Maybe a permissions issue because my user account I'm logged into my workstation is not a domain admin account and can't fully read AD?
0
dteague
#4dteague Member Posts: 79  
posted: 12/19/2014 6:54:03 PM(UTC)
It must be how access is in AD.

I am a "normal" user (no extra rights), and can pull all the info from AD as me.
0
gbhsmis
#5gbhsmis Member Posts: 1  
posted: 11/5/2021 8:59:46 PM(UTC)
i know this is old. but i cannot get this VB script to work.

I am a domain admin.

I think it's the LDP:// formating or something. I see where it has "LDP://" and I added my domain/LDP server there. Still nothing though. It just spins for a second, after I created the script and put it there, but nothing (even an error) pops up.
0

Active Discussions

Lansweeper mail reports
by  Andy.S   Go to last post Go to first unread
Last post: 7/1/2022 2:38:18 PM(UTC)
Lansweeper Adding an "Employee ID" column to an asset report
by  ABaker   Go to last post Go to first unread
Last post: 6/30/2022 3:06:54 PM(UTC)
Lansweeper Firefox 102 & ESR 91.11
by  Esben.D   Go to last post Go to first unread
Last post: 6/30/2022 8:12:07 AM(UTC)
Lansweeper Performance report not shows result
by  NoraD   Go to last post Go to first unread
Last post: 6/28/2022 7:52:27 AM(UTC)
Lansweeper Duplicate AD Users
by  Randy Costa   Go to last post Go to first unread
Last post: 6/27/2022 5:25:04 PM(UTC)
Lansweeper Exporting Security event log from Windows results in an error
by  frankm0304   Go to last post Go to first unread
Last post: 6/24/2022 10:41:27 PM(UTC)
Lansweeper htblhistory = default table? unidentified in report generator
by  J_Hol   Go to last post Go to first unread
Last post: 6/23/2022 5:27:18 PM(UTC)
Lansweeper Multiple Devices Owned by Users (asset relations)
by  Adrian Scott   Go to last post Go to first unread
Last post: 6/22/2022 5:34:51 PM(UTC)