Notification

Icon
Error

Password last set

Posted: Monday, May 21, 2012 11:45:06 PM(UTC)
Scott M

Scott M

Member Original PosterPosts: 8
1
Like
Looking for help with a custom action that tell me when the user last set their password or how close they are to expiring. How cool would that be?

Scott
dteague
#1dteague Member Posts: 79  
posted: 5/22/2012 10:34:23 PM(UTC)
If you search, you should find this code on here already, and you put it under User Actions as... {actionpath}acctstat.vbs "{cn}"

Code:
If WScript.Arguments.Count = 1 Then
struser = WScript.Arguments(0)
Set objUser = GetObject("LDAP://" & struser)
Const ADS_UF_DONT_EXPIRE_PASSWD = &h10000
Const ADS_ACETYPE_ACCESS_DENIED_OBJECT = &H6
Const CHANGE_PASSWORD_GUID = "{ab721a53-1e2f-11d0-9819-00aa0040529b}"
Set objSD = objUser.Get("nTSecurityDescriptor")
Set objDACL = objSD.DiscretionaryAcl
Set objUserLDAP = GetObject("LDAP://" & struser)
intCurrentValue = objUserLDAP.Get("userAccountControl")
strSAMAccountName = objUser.Get("sAMAccountName")
strCN = objUser.Get("cn")
Set objNet = CreateObject("WScript.NetWork")
dtmValue = objUserLDAP.PasswordLastChanged
intTimeInterval = int(now - dtmValue)
Set objDomainNT = GetObject("WinNT://" & objNet.UserDomain)
intMaxPwdAge = objDomainNT.Get("MaxPasswordAge")/86400
intMinPwdAge = objDomainNT.Get("MinPasswordAge")/86400

For Each Ace In objDACL
If ((Ace.AceType = ADS_ACETYPE_ACCESS_DENIED_OBJECT) And _
(LCase(Ace.ObjectType) = CHANGE_PASSWORD_GUID)) Then
blnEnabled = True
End If
Next


'Clear strMsg

strMsg = ""


'Account Disabled?

If objuser.AccountDisabled = True Then
MsgBox "This account is Disabled.",0,strCN & " (" & strSAMAccountName & ")"
Else


'Account Locked?

If objuser.IsAccountLocked = True Then
strMsg = strMsg & "This account is Enabled but Locked." & VbCrLf & VbCrLf
Else
strMsg = strMsg & "This account is Enabled and Not Locked." & VbCrLf & VbCrLf
End If


'Password Expires?

If intCurrentValue and ADS_UF_DONT_EXPIRE_PASSWD Then
strMsg = strMsg & "The Password Never Expires for this account due to account settings." & VbCrLf & _
" Password Changed: " & DateValue(dtmValue) & VBTab & int(now - dtmvalue) & " days ago" & VbCrLf & VbCrLf
Else

If intMaxPwdAge < 0 Then
strMsg = strMsg & "The Maximum Password Age is set to 0 in the domain. Therefore, the password does not expire." & VbCrLf & VbCrLf
Else


'Password Expired already?

If intTimeInterval >= intMaxPwdAge Then
strMsg = strMsg & "The password has Expired." & VbCrLf & _
" Password Changed: " & DateValue(dtmValue) & VBTab & int(now - dtmvalue) & " days ago" & VbCrLf & _
" Password Expires: " & DateValue(dtmValue + intMaxPwdAge) & VBTab & int(now - (dtmValue + intMaxPwdAge)) & " days ago" & VbCrLf & _
" (Maximum password age: " & intMaxPwdAge & " days)" & VbCrLf & VbCrLf
Else
strMsg = strMsg & "The password has Not Expired." & VbCrLf & _
" Password Changed: " & DateValue(dtmValue) & VBTab & int(now - dtmvalue) & " days ago" & VbCrLf & _
" Password Expires: " & DateValue(dtmValue + intMaxPwdAge) & VBTab & int((dtmValue + intMaxPwdAge) - now + 1) & " days from today" & VbCrLf & _
" (Maximum password age: " & intMaxPwdAge & " days)" & VbCrLf & VbCrLf
End If
End If
End If


'User can Change the Password?

If blnEnabled Then
strMsg = strMsg & strCN & " cannot change the password due to account settings."
Else
If intTimeInterval >= intMinPwdAge Then
strMsg = strMsg & strCN & " can change the password."
Else
strMsg = strMsg & strCN & " can change the password after " & DateValue(dtmValue) + intMinPwdAge & "." & VbCrLf & _
" (Minimum password age: "& intMinPwdAge & " days)"
End If
End If

'Display the Info

MsgBox strMsg,0,strCN & " (" & strSAMAccountName & ")"

End If

Else
WScript.Echo "Error"

End If

Set objNet = Nothing
Set objUser = Nothing
Set objSD = Nothing
Set objDACL = Nothing
Set objUserLDAP = Nothing
Set objDomainNT = Nothing
dteague attached the following image(s):
CHQAUDT078-02.gif
chads
#2chads Member Posts: 89  
posted: 7/2/2012 5:11:10 PM(UTC)
Always enjoy finding these. such a cool action. Now only if instead of popping out a window separate from the lansweeper webpage and embedding the window result below the user would be awesome. but that would require a ton of work.
Technut27
#3Technut27 Member Posts: 79  
posted: 12/18/2014 9:34:26 PM(UTC)
I came across this a long time ago and finally had a need to do something like this. It sort of works for me, if I us it on my own user page it returns the information perfectly like in the screen shot. But if I try it on another user it returns an error.

Error: The directory property cannot be found in the cache.
Code: 8000500D
Source: Active Directory

Maybe a permissions issue because my user account I'm logged into my workstation is not a domain admin account and can't fully read AD?
dteague
#4dteague Member Posts: 79  
posted: 12/19/2014 6:54:03 PM(UTC)
It must be how access is in AD.

I am a "normal" user (no extra rights), and can pull all the info from AD as me.
gbhsmis
#5gbhsmis Member Posts: 1  
posted: 11/5/2021 8:59:46 PM(UTC)
i know this is old. but i cannot get this VB script to work.

I am a domain admin.

I think it's the LDP:// formating or something. I see where it has "LDP://" and I added my domain/LDP server there. Still nothing though. It just spins for a second, after I created the script and put it there, but nothing (even an error) pops up.

Active Discussions

Lansweeper Version 10.2.0.0
by  ThomasK   Go to last post Go to first unread
Last post: Today at 6:11:28 AM(UTC)
Lansweeper Certificates
by  Orion Poplawski  
Go to last post Go to first unread
Last post: 7/1/2022 10:11:12 PM(UTC)
Lansweeper Lansweeper 360: The Agenda is out!!!
by  BeatrizC   Go to last post Go to first unread
Last post: 7/1/2022 3:49:29 PM(UTC)
Lansweeper mail reports
by  Andy.S  
Go to last post Go to first unread
Last post: 7/1/2022 2:38:18 PM(UTC)
Lansweeper Dell warranty lookup not working
by  LANGuy  
Go to last post Go to first unread
Last post: 7/1/2022 1:30:06 PM(UTC)
Lansweeper RedHat 8.5 & SELinux
by  QuelleAcht   Go to last post Go to first unread
Last post: 7/1/2022 1:16:19 PM(UTC)