How can I detect whether AD user password is expired without a second account to query AD?
Question
I have created a (PowerShell) wizard to guide a user through the process to (remotely) join his computer to the domain. The script runs under the login of the (standard) local administrator and queries AD and joins the computer (Add-Computer) using the credentials of the concerned user. The user has explicit permissions on one or more specific AD computer accounts to join that computer to the domain (he is not a domain administrator).
Everything works fine but for new hires the password is set to “User must change password at the next logon” . Whenever I query something in AD using the credentials of user which password is expired, I always get a general error: “unknown user name or bad password.”
How can I determine that the password is expired from the account itself (not using any other accounts) so that I prompt for a password change?
Is this possible at all? (How does the Windows OS do this at logon?)
This question is not the same as How can I query users with an expired password in Active Directory? because in this scenario, you have another account available to query AD.
1 answers
solution1
3 2015-05-30 16:09:10
found this, but unable to test at this point Get-ADUser $env:UserName -properties PasswordExpired, PasswordNeverExpires, PasswordLastSet
EDIT: As you mentioned, you can not query AD as you are running under a local admin account which is not part of AD and you do not have an AD account to query password expiration for the account you are testing.
This seems by design, for new hires you'd need to devise a way to make the password expire after a certain time, instead of upon first logon.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.