Re: AD password policy in Forms auth against AD

From: Joe Kaplan \(MVP - ADSI\) (joseph.e.kaplan_at_removethis.accenture.com)
Date: 12/17/04

  • Next message: Marco Maier: "start commandline.exe form aspnet application" 
    Date: Fri, 17 Dec 2004 10:30:47 -0600

    This is going to be a lot of work if you plan to do this via LDAP. You'll
    need a service account that can access the user account to read all of their
    attributes and you'll need to learn how to determine all of the various
    things that indicate these states. AD doesn't tell you why a bind failed
    (due to lockout, disabled, expired, user must change password, etc. vs.
    simple bad password), so you have to figure this out for yourself.

    Joe K.

    "Nils Magnus Englund" <nils.magnus.englund@orkfin.no> wrote in message
    news:eDXKeXC5EHA.1188@tk2msftngp13.phx.gbl...
    > Hey!
    >
    > I've successfully followed Microsofts example on how to use Forms
    > authentication with Active Directory (from the "Building Secure ASP.NET
    > Applications" How To-section). However, I would very much like to use AD's
    > password policy features, specifically:
    >
    > 1. I want the user to get a warning e.g. two weeks before his/hers
    > password expires
    >
    > 2. I want the user to be able to change password (assuming the new
    > password meets the requirements set by the password policy)
    >
    > 3. If the password has expired, I want the user to still be able to log
    > in, but forced to change password in order to continue. (If this isn't
    > possible with AD, I could set the expiration time to a year, and force the
    > user to change password if there's less than 300 days left, in effect
    > giving the user two months password expiration with another 300 days
    > before the user is disabled/blocked).
    >
    > Any ideas and/or suggestions? This will be used on a portal with several
    > hundred customers, where all customers will be stored in a AD (in their
    > own "External users" OU).
    >
    > Thanks!
    >
    >
    > Regards,
    > Nils Magnus Englund
    >

  • Next message: Marco Maier: "start commandline.exe form aspnet application"

    Relevant Pages

    • Re: AD password policy in Forms auth against AD
      ... > failed (due to lockout, disabled, expired, user must change password, etc. ... >> password expires ... >> possible with AD, I could set the expiration time to a year, and force ... >> hundred customers, where all customers will be stored in a AD (in their ...
      (microsoft.public.dotnet.framework.aspnet.security)
    • Re: removing the "password never expires" setting from LOCAL user (not Active Directory) a
      ... The code shouldn't set "User must change password at next logon". ... Note that with the LDAP provider, you assign the value 0 to the pwdLastSet ... > This does indeed remove the "Password never expires" option but it ...
      (microsoft.public.scripting.vbscript)
    • Re: password never expires
      ... Set objCommand = CreateObject ... Set objConnection = CreateObject ... > In my requirement i need to uncheck both the> 1) "user cannot change password"> 2) "Password never expires" checkboxes. ...
      (microsoft.public.win2000.active_directory)
    • Re: Default Domain Policy Question
      ... Enable the "password never expires" attribute on each service account. ... > I dont want to be subject to that policy. ... > How do I go about creating an exlusion from the DDP for this OU? ...
      (microsoft.public.win2000.group_policy)
    • Local user properties set using scripts
      ... *user cannot change password. ... It set only password expires. ... objPasswordExpirationFlag = objUserFlags OR ADS_UF_DONT_EXPIRE_PASSWD ...
      (microsoft.public.windows.server.scripting)