This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Community FAQ
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

AD fine grained password policy - PasswordExpirationDate wrong

hgi1
Engaged Sweeper II

‎04-02-2024 11:45 AM

Hi,

we use AD fine grained password policy - applied to a group of users.
See: https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/get-started/adac/introduction-to-act...

Querying tblADusers.PasswordExpirationDate, we see that the fine grained password policy is not taken into account.
The value in tblADusers always seems to respect only the default password policy, but not the override settings of fine grained password policies.

Calling the Powershell command
Get-ADUser -Identity ID_GOES_HERE –Properties "msDS-UserPasswordExpiryTimeComputed"
shows a different PasswordExpirationDate for the AD user as the Lansweeper table tblADusers contains.

How to get the correct value into the Lansweeper table?

Labels:
0 Kudos
4 REPLIES 4
hgi1
Engaged Sweeper II

‎04-05-2024 11:45 AM

Being currently in contact with support, it seems that the problem originates from using Fine-Grained Password Policies (FGPP) in conjunction with the type of querying the password expiration information used by LanSweeper.

I found this hint on the web (https://learn.microsoft.com/en-us/answers/questions/110116/active-directory):
When using "net user samAccountName /domain", the value returned by "Password expires" doesn’t take in consideration the fine grained policies. 
It only shows the domain password policy.

This might explain, why LanSweeper currently shows a wrong expiry information, when FGPP is not taken into account.

0 Kudos
Obi_1_Cinobi
Lansweeper Tech Support
Lansweeper Tech Support

‎04-03-2024 09:20 AM - last edited on ‎04-12-2024 10:39 AM by

Hello there!

If you're looking for information about the AD attributes that are being scanned, please refer to this KB article: https://community.lansweeper.com/t5/scanning-your-network/active-directory-user-and-computer-attribu...

In case you need any further assistance or want to request a new feature for AD scanning, please get in touch with our tech support team via this link: https://www.lansweeper.com/contact/contact-support/

 

0 Kudos
hgi1
Engaged Sweeper II
In response to Obi_1_Cinobi

‎04-03-2024 10:06 AM

I don't see how this answers my question.
I know that the PasswordExpirationDate is imported, but my question is, why is the value wrong?

0 Kudos
Obi_1_Cinobi
Lansweeper Tech Support
Lansweeper Tech Support
In response to hgi1

‎04-03-2024 10:14 AM

Hello there!

For further troubleshooting please get in touch with our tech support team via this link: https://www.lansweeper.com/contact/contact-support/

0 Kudos

General Discussions

Find answers to technical questions about Lansweeper.

New to Lansweeper?

Try Lansweeper For Free

Experience Lansweeper with your own data.
Sign up now for a 14-day free trial.

Try Now