'How to retrieve Active Directory group policy maximum password age using LDAP
I would like to retrieve the group policy regarding to passwords from the company Active Directory, but I cannot find any info, how to filter my search to find the attributes.
At first I like to get the maximum password age, which should be the msDS-MaximumPasswordAge
attribute.
The search term I've been trying:
ldap_search($ldap, 'CN=Policies,CN=System,DC=company,DC=com', '(objectClass=*)', array('msDS-MaximumPasswordAge'));
This is the widest filter I've tried, but it returns no object where the count is not zero. Of course I replaced the DC name for the purpose of this example.
Did I missed something? Should I search under a different container?
Solution 1:[1]
Are you sure you have implemented a Group Policy with msDS-PasswordSettings enabled?
You should use a filter like (&(objectClass=msDS-PasswordSettings))
And return an attribute "msDS-MaximumPasswordAge".
A msDS-PasswordSettings entry appears in an LDIF like:
dn: CN=PS??,CN=Password Settings Container,CN=System,DC=dc1,DC=contoso,DC=com
objectClass: msDS-PasswordSettings
msDS-MaximumPasswordAge:-1728000000000
msDS-MinimumPasswordAge:-864000000000
msDS-MinimumPasswordLength:8
msDS-PasswordHistoryLength:24
msDS-PasswordComplexityEnabled:TRUE
msDS-PasswordReversibleEncryptionEnabled:FALSE
msDS-LockoutObservationWindow:-18000000000
msDS-LockoutDuration:-18000000000
msDS-LockoutThreshold:0
msDS-PasswordSettingsPrecedence:20
msDS-PSOAppliesTo:CN=user1,CN=Users,DC=dc1,DC=contoso,DC=com
-jim
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
Solution | Source |
---|---|
Solution 1 | jwilleke |