cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
hgi1
Engaged Sweeper II

Hi,

we use AD fine grained password policy - applied to a group of users.
See: https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/get-started/adac/introduction-to-act...

Querying tblADusers.PasswordExpirationDate, we see that the fine grained password policy is not taken into account.
The value in tblADusers always seems to respect only the default password policy, but not the override settings of fine grained password policies.

Calling the Powershell command
Get-ADUser -Identity ID_GOES_HERE –Properties "msDS-UserPasswordExpiryTimeComputed"
shows a different PasswordExpirationDate for the AD user as the Lansweeper table tblADusers contains.

How to get the correct value into the Lansweeper table?

4 REPLIES 4
hgi1
Engaged Sweeper II

Being currently in contact with support, it seems that the problem originates from using Fine-Grained Password Policies (FGPP) in conjunction with the type of querying the password expiration information used by LanSweeper.

I found this hint on the web (https://learn.microsoft.com/en-us/answers/questions/110116/active-directory):
When using "net user samAccountName /domain", the value returned by "Password expires" doesn’t take in consideration the fine grained policies. 
It only shows the domain password policy.

This might explain, why LanSweeper currently shows a wrong expiry information, when FGPP is not taken into account.

Obi_1_Cinobi
Lansweeper Tech Support
Lansweeper Tech Support

Hello there!

If you're looking for information about the AD attributes that are being scanned, please refer to this KB article: https://community.lansweeper.com/t5/scanning-your-network/active-directory-user-and-computer-attribu...

In case you need any further assistance or want to request a new feature for AD scanning, please get in touch with our tech support team via this link: https://www.lansweeper.com/contact/contact-support/

 

hgi1
Engaged Sweeper II

I don't see how this answers my question.
I know that the PasswordExpirationDate is imported, but my question is, why is the value wrong?

Obi_1_Cinobi
Lansweeper Tech Support
Lansweeper Tech Support

Hello there!

For further troubleshooting please get in touch with our tech support team via this link: https://www.lansweeper.com/contact/contact-support/

New to Lansweeper?

Try Lansweeper For Free

Experience Lansweeper with your own data.
Sign up now for a 14-day free trial.

Try Now