How to change "pwdlastset" attribute value manually

sirineni
sirineni used Ask the Experts™
on
AD 2003 using ADSI EDIT
=========================
I need to test a password policy expiry. How this works is- a email is triggered when the password is expired.I need to test teh functionality.

I want to expire my password (say today).So trying to set the "pwdlastset" attribute and getting "The parameter is incorrect"

1. am doing right thing? Is this a configugarable attirbute?
2. If so how to do I edit this?
3. What values are accepted (ex.1, 0) and what they mean?

Any suggestions to help change the expiry value are greatly appreciated.
 
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Adam BrownSenior Systems Admin
Top Expert 2010

Commented:
The pwdlastset value is actually written as an LDAP timestamp. That timestamp is the number of 100 nanosecond intervals since January 1, 1601. You can get the value for the current time in Powershell by entering (get-date).toFileTime()

Today's is 129538456723328565
so if you enter that as the value of pwdlastset it will set the password last set value to Wednesday, June 29, 2011 18:27:52GMT

Author

Commented:
acbrown2010,
Thanks for the note but still getting(while using 129538456723328565) same error when I hit apply "Parameter is incorrect". Only value it seems to be taking is "0" which might have a different meaning!
Adam BrownSenior Systems Admin
Top Expert 2010

Commented:
Yeah, just figured that out myself. Setting to 0 means that the user has to do a password reset immediately. Give me a minute and I'll figure it out.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Adam BrownSenior Systems Admin
Top Expert 2010

Commented:
Alright, got it. Setting it to -1 will reset the date to the current time. Note that this will only happen if the user does not have the Password Never Expires option set.

Author

Commented:
no luck. as soon as I type minus (-)Gives "unacceptable character and you can only type number here"/
Password never expire is not set on teh account
Most Valuable Expert 2018
Distinguished Expert 2018
Commented:
You can not change that value to a given date, only 0 ("Must change password") and -1 ("Password changed today"): "The pwdLastSet attribute cannot be set to any other value except by the system.".
User Must Change Password at Next Logon (LDAP Provider)
http://msdn.microsoft.com/en-us/library/aa746510(VS.85).aspx
"Update Privilege: This value is set by the system."
Pwd-Last-Set Attribute
http://msdn.microsoft.com/en-us/library/ms679430(VS.85).aspx

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial