Collectives™ on Stack Overflow

Find centralized, trusted content and collaborate around the technologies you use most.

Teams

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

I have a problem which I am in need of some help with.

I use LDAP with PHP to authenticate users, I also check to see if the users password is marked as expired. This all works fine if the user's password has not expired or if the admins have tick the box to force a password reset. However I get a problem when the password expires through the group policies.

To make it so that I can still authenticate the user when their password is marked as expired, I need to change the pwdlastset value to -1 and then back to what it was in the first place. But this just throws and exception whenever the password has expired instead of changing the pwdlastset value.

Exception:

0x50 (Other (e.g., implementation specific) error; 00000057: SysErr: DSID-031A1202, problem 22 (Invalid argument), data 0 ): updating: CN=Steve,OU=Developer Groups,DC=external,DC=domain,DC=local in
Can anyone confirm for me whether I'm right in thinking that I cannot change this value once the password has expired through policies or not? 
If I am unable to change this value, is there not a work around?
Thanks
                I believe you cannot set a value other than 0 and -1 on pwdLastSet attribute but am unable to confirm my suspicion on any trustworthy source...
– Robert Rossmann
                Sep 4, 2013 at 15:36
Only the system can modify the pwdLastSet attribute to any value other than 0 or -1. If you assign 0, the password is immediately expired. Then when the user changes their password the current date/time is assigned by the system to the pwdLastSet attribute.
The value -1 corresponds to the largest integer allowed in a 64-bit attribute, 2^63-1. This value does the reverse of 0. It makes the password not expired. When the user next logs on, the pwdLastSet attribute will be set by the system to the value corresponding to the current date/time.
                is there anyway around this limitation? It would just be nice to be able to have users passwords expiring based on policies rather than having to get the help desk to arrange password changes.
– mic
                Sep 5, 2013 at 7:06
                Sorry, I don't understand the problem you encounter when the password expires through the group policies.
– JPBlanc
                Sep 5, 2013 at 7:22
                in fact ignore me, if the users password has expired via group policies I can just set the value of pwdlastset to 0 because it will allow it and indicates that the users password has expired. :) :)
– mic
                Sep 5, 2013 at 7:22
                the problem is that if the password expires through policies then the pwdlastset value is not 0, it is a large int an AD timestamp.  But i can set it to 0 without causing any issues.
– mic
                Sep 5, 2013 at 7:24
                I use UserPrincipal and newUser.ExpirePasswordNow(); before newUser.Save();, and I get the error about 00000523: SysErr: DSID-031A12C8, problem 22 (Invalid argument), data 0
– Kiquenet
                Jun 13, 2018 at 9:14
If you ask for a generalized setting value in your app for the value of Password expiration policy, then you could add that to pwdLastSet, and compare to the current time to test if it is expired.
Which is how the system does it.  Prior to Win 2008 servers, there was only the domain wide password policy, so that works fine in that model.  With fine grained password policies there can potentially be more password policies.  As I recall, you make a group that is of a particular type whose members get the specific policy so it could be looked up.
Of course, both approaches are Active Directory specific, and won't work on any other LDAP server as they use different methods for denoting expired passwords. 
        
Thanks for contributing an answer to Stack Overflow!
Please be sure to answer the question. Provide details and share your research!
But avoid …
Asking for help, clarification, or responding to other answers.
Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.