What is value for maxPwdAge in AD (weird value in one of ours)?

Tutorials Win: Microsoft Windows Forum

Hi,

We have some code that runs intermittently against our ADs in several
environments (these "environments" are completely separate from each
other), and it uses maxPwdAge to determine when the passwords for
users are going to expire.

In 2 of the environments, they have it set to 90 and 60 days, and
maxPwdAge shows up as large negative numbers.

However, in the 3rd one, maxPwdAge is appearing as "15552000", which
calculates to 180 days in seconds.

Does anyone know why maxPwdAge would be a positive number in that one
environment, vs. large negative number in the other ones?

Thanks,
Jim
Top

Re: What is value for maxPwdAge in AD (weird value in one of ours)? by Richard

Richard
Wed Apr 23 11:45:23 PDT 2008

Jim wrote:

> We have some code that runs intermittently against our ADs in several
> environments (these "environments" are completely separate from each
> other), and it uses maxPwdAge to determine when the passwords for
> users are going to expire.
>
> In 2 of the environments, they have it set to 90 and 60 days, and
> maxPwdAge shows up as large negative numbers.
>
> However, in the 3rd one, maxPwdAge is appearing as "15552000", which
> calculates to 180 days in seconds.
>
> Does anyone know why maxPwdAge would be a positive number in that one
> environment, vs. large negative number in the other ones?

The maxPwdAge attribute of the domain object is datatype Integer8, a 64-bit
value. The value corresponds to the age in 100-nanosecond intervals (not
seconds). I'm used to handling this in VBScript using the IADsLargeInteger
interface, which has a HighPart and LowPart method that breaks the 64-bit
value into two 32-bit values. The value is either 0 or a negative value,
similar to an offset. Due to quirks in the way signed integers are handled,
if the LowPart method returns a negative value, the value returned by the
HighPart method should be increased by 1. I use the following VBScript code
to convert maxPwdAge attribute to days:
========
' Determine domain maximum password age policy in days.
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("DefaultNamingContext")
Set objDomain = GetObject("LDAP://" & strDNSDomain)
Set objMaxPwdAge = objDomain.MaxPwdAge

' Account for bug in IADslargeInteger property methods.
lngHighAge = objMaxPwdAge.HighPart
lngLowAge = objMaxPwdAge.LowPart
If (lngLowAge < 0) Then
lngHighAge = lngHighAge + 1
End If
' Convert to days.
intMaxPwdAge = -((lngHighAge * 2^32) _
+ lngLowAge)/(600000000 * 1440)
========
We don't know how your code converts the Integer8 value into seconds. It
probably is flawed.

As an example, in my domain ADSI Edit reveals that maxPwdAge
is -37,108,517,437,440. My script reveals that HighPart returns -8640 and
LowPart returns 0, which works out to the same number of 100-nanosecond
intervals. This converts to 42.94967 days.

--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--


Top

Re: What is value for maxPwdAge in AD (weird value in one of ours)? by ohaya

ohaya
Wed Apr 23 20:21:33 PDT 2008

On Apr 23, 2:45=A0pm, "Richard Mueller [MVP]" <rlmueller-
nos...@ameritech.nospam.net> wrote:
> Jim wrote:
> > We have some code that runs intermittently against our ADs in several
> > environments (these "environments" are completely separate from each
> > other), and it uses maxPwdAge to determine when the passwords for
> > users are going to expire.
>
> > In 2 of the environments, they have it set to 90 and 60 days, and
> > maxPwdAge shows up as large negative numbers.
>
> > However, in the 3rd one, maxPwdAge is appearing as "15552000", which
> > calculates to 180 days in seconds.
>
> > Does anyone know why maxPwdAge would be a positive number in that one
> > environment, vs. large negative number in the other ones?
>
> The maxPwdAge attribute of the domain object is datatype Integer8, a 64-bi=
t
> value. The value corresponds to the age in 100-nanosecond intervals (not
> seconds). I'm used to handling this in VBScript using the IADsLargeInteger=

> interface, which has a HighPart and LowPart method that breaks the 64-bit
> value into two 32-bit values. The value is either 0 or a negative value,
> similar to an offset. Due to quirks in the way signed integers are handled=
,
> if the LowPart method returns a negative value, the value returned by the
> HighPart method should be increased by 1. I use the following VBScript cod=
e
> to convert maxPwdAge attribute to days:
> =3D=3D=3D=3D=3D=3D=3D=3D
> ' Determine domain maximum password age policy in days.
> Set objRootDSE =3D GetObject("LDAP://RootDSE")
> strDNSDomain =3D objRootDSE.Get("DefaultNamingContext")
> Set objDomain =3D GetObject("LDAP://" & strDNSDomain)
> Set objMaxPwdAge =3D objDomain.MaxPwdAge
>
> ' Account for bug in IADslargeInteger property methods.
> lngHighAge =3D objMaxPwdAge.HighPart
> lngLowAge =3D objMaxPwdAge.LowPart
> If (lngLowAge < 0) Then
> =A0 =A0 lngHighAge =3D lngHighAge + 1
> End If
> ' Convert to days.
> intMaxPwdAge =3D -((lngHighAge * 2^32) _
> =A0 =A0 + lngLowAge)/(600000000 * 1440)
> =3D=3D=3D=3D=3D=3D=3D=3D
> We don't know how your code converts the Integer8 value into seconds. It
> probably is flawed.
>
> As an example, in my domain ADSI Edit reveals that maxPwdAge
> is -37,108,517,437,440. My script reveals that HighPart returns -8640 and
> LowPart returns 0, which works out to the same number of 100-nanosecond
> intervals. This converts to 42.94967 days.
>
> --
> Richard Mueller
> Microsoft MVP Scripting and ADSI
> Hilltop Lab -http://www.rlmueller.net
> --



Richard,

Sorry that I didn't clarify, but the thing is, they're seeing that
"15552000" value in MIIS (or ILM now, I guess), i.e., it is the "raw"
value that they're getting for maxPwdAge.

The thing that we can't figure out is why just that one AD is coming
back with that value, whereas the other two environments have the more
normal "large negative number".

The effect of that "15552000" value for the maxPwdAge is that it is
throwing off the calculations that the MIIS rule extensions are doing
when calculating what it thinks are the password expiration dates for
users.

Is it possible that the "format" for maxPwdAge is different between
Windows versions, i.e., Win2K Server, Win2K3 server, and Win2K3 R2,
etc.?

Jim
Top

Re: What is value for maxPwdAge in AD (weird value in one of ours)? by ohaya

ohaya
Wed Apr 23 20:32:04 PDT 2008

On Apr 23, 11:21=A0pm, oh...@cox.net wrote:
> On Apr 23, 2:45=A0pm, "Richard Mueller [MVP]" <rlmueller-
>
>
>
>
>
> nos...@ameritech.nospam.net> wrote:
> > Jim wrote:
> > > We have some code that runs intermittently against our ADs in several
> > > environments (these "environments" are completely separate from each
> > > other), and it uses maxPwdAge to determine when the passwords for
> > > users are going to expire.
>
> > > In 2 of the environments, they have it set to 90 and 60 days, and
> > > maxPwdAge shows up as large negative numbers.
>
> > > However, in the 3rd one, maxPwdAge is appearing as "15552000", which
> > > calculates to 180 days in seconds.
>
> > > Does anyone know why maxPwdAge would be a positive number in that one
> > > environment, vs. large negative number in the other ones?
>
> > The maxPwdAge attribute of the domain object is datatype Integer8, a 64-=
bit
> > value. The value corresponds to the age in 100-nanosecond intervals (not=

> > seconds). I'm used to handling this in VBScript using the IADsLargeInteg=
er
> > interface, which has a HighPart and LowPart method that breaks the 64-bi=
t
> > value into two 32-bit values. The value is either 0 or a negative value,=

> > similar to an offset. Due to quirks in the way signed integers are handl=
ed,
> > if the LowPart method returns a negative value, the value returned by th=
e
> > HighPart method should be increased by 1. I use the following VBScript c=
ode
> > to convert maxPwdAge attribute to days:
> > =3D=3D=3D=3D=3D=3D=3D=3D
> > ' Determine domain maximum password age policy in days.
> > Set objRootDSE =3D GetObject("LDAP://RootDSE")
> > strDNSDomain =3D objRootDSE.Get("DefaultNamingContext")
> > Set objDomain =3D GetObject("LDAP://" & strDNSDomain)
> > Set objMaxPwdAge =3D objDomain.MaxPwdAge
>
> > ' Account for bug in IADslargeInteger property methods.
> > lngHighAge =3D objMaxPwdAge.HighPart
> > lngLowAge =3D objMaxPwdAge.LowPart
> > If (lngLowAge < 0) Then
> > =A0 =A0 lngHighAge =3D lngHighAge + 1
> > End If
> > ' Convert to days.
> > intMaxPwdAge =3D -((lngHighAge * 2^32) _
> > =A0 =A0 + lngLowAge)/(600000000 * 1440)
> > =3D=3D=3D=3D=3D=3D=3D=3D
> > We don't know how your code converts the Integer8 value into seconds. It=

> > probably is flawed.
>
> > As an example, in my domain ADSI Edit reveals that maxPwdAge
> > is -37,108,517,437,440. My script reveals that HighPart returns -8640 an=
d
> > LowPart returns 0, which works out to the same number of 100-nanosecond
> > intervals. This converts to 42.94967 days.
>
> > --
> > Richard Mueller
> > Microsoft MVP Scripting and ADSI
> > Hilltop Lab -http://www.rlmueller.net
> > --
>
> Richard,
>
> Sorry that I didn't clarify, but the thing is, they're seeing that
> "15552000" value in MIIS (or ILM now, I guess), i.e., it is the "raw"
> value that they're getting for maxPwdAge.
>
> The thing that we can't figure out is why just that one AD is coming
> back with that value, whereas the other two environments have the more
> normal "large negative number".
>
> The effect of that "15552000" value for the maxPwdAge is that it is
> throwing off the calculations that the MIIS rule extensions are doing
> when calculating what it thinks are the password expiration dates for
> users.
>
> Is it possible that the "format" for maxPwdAge is different between
> Windows versions, i.e., Win2K Server, Win2K3 server, and Win2K3 R2,
> etc.?
>
> Jim- Hide quoted text -
>
> - Show quoted text -



Hi,

I just ran across this thread (hope the link works):

http://www.microsoft.com/communities/newsgroups/en-us/default.aspx?dg=3Dmicr=
osoft.public.win2000.active_directory&tid=3Deedcd917-1bd0-457f-8434-f9f6bab0=
d5d2&cat=3D&lang=3D&cr=3D&sloc=3D&p=3D1

where it says the output of an adfind should include:

maxPwdAge: -155520000000000

I wonder if our guy or MIIS is somehow dropping the minus ("-")?

Also, the thread doesn't state it explicitly, but that seems to be on
Win2K3?

Jim
Top

Re: What is value for maxPwdAge in AD (weird value in one of ours)? by ohaya

ohaya
Thu Apr 24 04:32:46 PDT 2008



ohaya@cox.net wrote:
> On Apr 23, 11:21 pm, oh...@cox.net wrote:
>
>>On Apr 23, 2:45 pm, "Richard Mueller [MVP]" <rlmueller-
>>
>>
>>
>>
>>
>>nos...@ameritech.nospam.net> wrote:
>>
>>>Jim wrote:
>>>
>>>>We have some code that runs intermittently against our ADs in several
>>>>environments (these "environments" are completely separate from each
>>>>other), and it uses maxPwdAge to determine when the passwords for
>>>>users are going to expire.
>>
>>>>In 2 of the environments, they have it set to 90 and 60 days, and
>>>>maxPwdAge shows up as large negative numbers.
>>
>>>>However, in the 3rd one, maxPwdAge is appearing as "15552000", which
>>>>calculates to 180 days in seconds.
>>
>>>>Does anyone know why maxPwdAge would be a positive number in that one
>>>>environment, vs. large negative number in the other ones?
>>
>>>The maxPwdAge attribute of the domain object is datatype Integer8, a 64-bit
>>>value. The value corresponds to the age in 100-nanosecond intervals (not
>>>seconds). I'm used to handling this in VBScript using the IADsLargeInteger
>>>interface, which has a HighPart and LowPart method that breaks the 64-bit
>>>value into two 32-bit values. The value is either 0 or a negative value,
>>>similar to an offset. Due to quirks in the way signed integers are handled,
>>>if the LowPart method returns a negative value, the value returned by the
>>>HighPart method should be increased by 1. I use the following VBScript code
>>>to convert maxPwdAge attribute to days:
>>>========
>>>' Determine domain maximum password age policy in days.
>>>Set objRootDSE = GetObject("LDAP://RootDSE")
>>>strDNSDomain = objRootDSE.Get("DefaultNamingContext")
>>>Set objDomain = GetObject("LDAP://" & strDNSDomain)
>>>Set objMaxPwdAge = objDomain.MaxPwdAge
>>
>>>' Account for bug in IADslargeInteger property methods.
>>>lngHighAge = objMaxPwdAge.HighPart
>>>lngLowAge = objMaxPwdAge.LowPart
>>>If (lngLowAge < 0) Then
>>> lngHighAge = lngHighAge + 1
>>>End If
>>>' Convert to days.
>>>intMaxPwdAge = -((lngHighAge * 2^32) _
>>> + lngLowAge)/(600000000 * 1440)
>>>========
>>>We don't know how your code converts the Integer8 value into seconds. It
>>>probably is flawed.
>>
>>>As an example, in my domain ADSI Edit reveals that maxPwdAge
>>>is -37,108,517,437,440. My script reveals that HighPart returns -8640 and
>>>LowPart returns 0, which works out to the same number of 100-nanosecond
>>>intervals. This converts to 42.94967 days.
>>
>>>--
>>>Richard Mueller
>>>Microsoft MVP Scripting and ADSI
>>>Hilltop Lab -http://www.rlmueller.net
>>>--
>>
>>Richard,
>>
>>Sorry that I didn't clarify, but the thing is, they're seeing that
>>"15552000" value in MIIS (or ILM now, I guess), i.e., it is the "raw"
>>value that they're getting for maxPwdAge.
>>
>>The thing that we can't figure out is why just that one AD is coming
>>back with that value, whereas the other two environments have the more
>>normal "large negative number".
>>
>>The effect of that "15552000" value for the maxPwdAge is that it is
>>throwing off the calculations that the MIIS rule extensions are doing
>>when calculating what it thinks are the password expiration dates for
>>users.
>>
>>Is it possible that the "format" for maxPwdAge is different between
>>Windows versions, i.e., Win2K Server, Win2K3 server, and Win2K3 R2,
>>etc.?
>>
>>Jim- Hide quoted text -
>>
>>- Show quoted text -
>
>
>
>
> Hi,
>
> I just ran across this thread (hope the link works):
>
> http://www.microsoft.com/communities/newsgroups/en-us/default.aspx?dg=microsoft.public.win2000.active_directory&tid=eedcd917-1bd0-457f-8434-f9f6bab0d5d2&cat=&lang=&cr=&sloc=&p=1
>
> where it says the output of an adfind should include:
>
> maxPwdAge: -155520000000000
>
> I wonder if our guy or MIIS is somehow dropping the minus ("-")?
>
> Also, the thread doesn't state it explicitly, but that seems to be on
> Win2K3?
>
> Jim


Hi,

I got more info this morning. Apparently, on the system that they said
was showing the "15552000" for maxPwdAge, they had gotten that value by
using ldp, whereas on the other two environments, the large negative
values came from using MIIS/ILM.

So, maybe ldp itself is re-formatting the raw maxPwdAge value for display?

Jim

Top

Re: What is value for maxPwdAge in AD (weird value in one of ours)? by Richard

Richard
Thu Apr 24 08:06:31 PDT 2008


"ohaya" <ohaya@cox.net> wrote in message
news:O%23Alq7fpIHA.3568@TK2MSFTNGP04.phx.gbl...

> I got more info this morning. Apparently, on the system that they said
> was showing the "15552000" for maxPwdAge, they had gotten that value by
> using ldp, whereas on the other two environments, the large negative
> values came from using MIIS/ILM.
>
> So, maybe ldp itself is re-formatting the raw maxPwdAge value for display?
>
> Jim
>

When I use ldp to retrieve the maxPwdAge the value displayed is a negative
number. Could someone have ignored the leading "-"?

--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--


Top

Re: What is value for maxPwdAge in AD (weird value in one of ours)? by ohaya

ohaya
Thu Apr 24 18:01:35 PDT 2008



Richard Mueller [MVP] wrote:
> "ohaya" <ohaya@cox.net> wrote in message
> news:O%23Alq7fpIHA.3568@TK2MSFTNGP04.phx.gbl...
>
>
>>I got more info this morning. Apparently, on the system that they said
>>was showing the "15552000" for maxPwdAge, they had gotten that value by
>>using ldp, whereas on the other two environments, the large negative
>>values came from using MIIS/ILM.
>>
>>So, maybe ldp itself is re-formatting the raw maxPwdAge value for display?
>>
>>Jim
>>
>
>
> When I use ldp to retrieve the maxPwdAge the value displayed is a negative
> number. Could someone have ignored the leading "-"?
>


Richard,

I thought that I had this figured out (i.e., that ldp was displaying the
"converted" positive #) until I saw your post above :(...

I tried ldp on two different machines, and ldp shows positive numbers
for maxPwdAge in both cases, e.g., here's one:

Expanding base 'dc=itf,dc=XXX'...
Result <0>: (null)
Matched DNs:
Getting 1 entries:
>> Dn: dc=itf,dc=XXX
3> objectClass: top; domain; domainDNS;
1> distinguishedName: DC=itf,DC=XXX;
1> instanceType: 0x5 = ( DS_INSTANCETYPE_IS_NC_HEAD | IT_WRITE );
1> whenCreated: 01/29/2007 18:34:00 Eastern Standard Time Eastern
Daylight Time;
1> whenChanged: 01/29/2007 18:55:00 Eastern Standard Time Eastern
Daylight Time;
3> subRefs: DC=ForestDnsZones,DC=itf,DC=XXX;
DC=DomainDnsZones,DC=itf,DC=XXX; CN=Configuration,DC=itf,DC=XXX;
1> uSNCreated: 4098;
1> uSNChanged: 12513;
1> name: itf;
1> objectGUID: 29aff19a-41c2-407c-9abb-2e96ce41b888;
1> creationTime: 01/29/2007 18:54:05 Eastern Standard Time Eastern
Daylight Time;
1> forceLogoff: -9223372036854775808 (none);
1> lockoutDuration: 1800;
1> lockOutObservationWindow: 1800;
1> lockoutThreshold: 0;
1> maxPwdAge: 3710851;
1> minPwdAge: 86400;
1> minPwdLength: 7;
1> modifiedCountAtLastProm: 0;

On the other hand, ldifde shows the raw large negative numbers:

dn: DC=itf,DC=XXX
changetype: add
objectClass: top
objectClass: domain
objectClass: domainDNS
distinguishedName: DC=itf,DC=XXX
instanceType: 5
whenCreated: 20070129233400.0Z
whenChanged: 20070129235500.0Z
subRefs: DC=ForestDnsZones,DC=itf,DC=XXX
subRefs: DC=DomainDnsZones,DC=itf,DC=XXX
subRefs: CN=Configuration,DC=itf,DC=XXX
uSNCreated: 4098
uSNChanged: 12513
name: itf
objectGUID:: mvGvKcJBfECauy6WzkG4iA==
creationTime: 128145884454386704
forceLogoff: -9223372036854775808
lockoutDuration: -18000000000
lockOutObservationWindow: -18000000000
lockoutThreshold: 0
maxPwdAge: -37108517437440
minPwdAge: -864000000000
minPwdLength: 7

I guess that now I'm getting really confused :)!!

Jim

Top

Re: What is value for maxPwdAge in AD (weird value in one of ours)? by Richard

Richard
Thu Apr 24 20:30:55 PDT 2008

I was testing on a Windows 2000 Server with the version of ldp that comes
with the Support Tools for that OS. I got the correct negative value. I
repeated on a Windows 2003 Server and got the same result as you, the value
"3710851" when it should be "-37108517437440". I get the correct value if I
use ADSIEdit. I also get the correct value if I use a VBScript program. It
looks like a bug in ldp to me, at least the version that comes with W2k3. I
searched and found no other reports of this, but found a thread where
someone pasted the output from ldp and it had this same value.

--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--

"ohaya" <ohaya@cox.net> wrote in message
news:%23CZ3n$mpIHA.4280@TK2MSFTNGP02.phx.gbl...
>
>
> Richard Mueller [MVP] wrote:
>> "ohaya" <ohaya@cox.net> wrote in message
>> news:O%23Alq7fpIHA.3568@TK2MSFTNGP04.phx.gbl...
>>
>>
>>>I got more info this morning. Apparently, on the system that they said
>>>was showing the "15552000" for maxPwdAge, they had gotten that value by
>>>using ldp, whereas on the other two environments, the large negative
>>>values came from using MIIS/ILM.
>>>
>>>So, maybe ldp itself is re-formatting the raw maxPwdAge value for
>>>display?
>>>
>>>Jim
>>>
>>
>>
>> When I use ldp to retrieve the maxPwdAge the value displayed is a
>> negative number. Could someone have ignored the leading "-"?
>>
>
>
> Richard,
>
> I thought that I had this figured out (i.e., that ldp was displaying the
> "converted" positive #) until I saw your post above :(...
>
> I tried ldp on two different machines, and ldp shows positive numbers for
> maxPwdAge in both cases, e.g., here's one:
>
> Expanding base 'dc=itf,dc=XXX'...
> Result <0>: (null)
> Matched DNs:
> Getting 1 entries:
> >> Dn: dc=itf,dc=XXX
> 3> objectClass: top; domain; domainDNS;
> 1> distinguishedName: DC=itf,DC=XXX;
> 1> instanceType: 0x5 = ( DS_INSTANCETYPE_IS_NC_HEAD | IT_WRITE );
> 1> whenCreated: 01/29/2007 18:34:00 Eastern Standard Time Eastern Daylight
> Time;
> 1> whenChanged: 01/29/2007 18:55:00 Eastern Standard Time Eastern Daylight
> Time;
> 3> subRefs: DC=ForestDnsZones,DC=itf,DC=XXX;
> DC=DomainDnsZones,DC=itf,DC=XXX; CN=Configuration,DC=itf,DC=XXX;
> 1> uSNCreated: 4098;
> 1> uSNChanged: 12513;
> 1> name: itf;
> 1> objectGUID: 29aff19a-41c2-407c-9abb-2e96ce41b888;
> 1> creationTime: 01/29/2007 18:54:05 Eastern Standard Time Eastern
> Daylight Time;
> 1> forceLogoff: -9223372036854775808 (none);
> 1> lockoutDuration: 1800;
> 1> lockOutObservationWindow: 1800;
> 1> lockoutThreshold: 0;
> 1> maxPwdAge: 3710851;
> 1> minPwdAge: 86400;
> 1> minPwdLength: 7;
> 1> modifiedCountAtLastProm: 0;
>
> On the other hand, ldifde shows the raw large negative numbers:
>
> dn: DC=itf,DC=XXX
> changetype: add
> objectClass: top
> objectClass: domain
> objectClass: domainDNS
> distinguishedName: DC=itf,DC=XXX
> instanceType: 5
> whenCreated: 20070129233400.0Z
> whenChanged: 20070129235500.0Z
> subRefs: DC=ForestDnsZones,DC=itf,DC=XXX
> subRefs: DC=DomainDnsZones,DC=itf,DC=XXX
> subRefs: CN=Configuration,DC=itf,DC=XXX
> uSNCreated: 4098
> uSNChanged: 12513
> name: itf
> objectGUID:: mvGvKcJBfECauy6WzkG4iA==
> creationTime: 128145884454386704
> forceLogoff: -9223372036854775808
> lockoutDuration: -18000000000
> lockOutObservationWindow: -18000000000
> lockoutThreshold: 0
> maxPwdAge: -37108517437440
> minPwdAge: -864000000000
> minPwdLength: 7
>
> I guess that now I'm getting really confused :)!!
>
> Jim
>


Top

Re: What is value for maxPwdAge in AD (weird value in one of ours)? by ohaya

ohaya
Thu Apr 24 21:30:24 PDT 2008

Richard,

AHH! Ok, I also just ran ldp on a Win2K AD instance, and got the
negative number.

I guess it (displaying the positive #) is a "feature" in the Win2K3
ldp.exe :)??

Thanks for helping clear that up!

Jim




Richard Mueller [MVP] wrote:
> I was testing on a Windows 2000 Server with the version of ldp that comes
> with the Support Tools for that OS. I got the correct negative value. I
> repeated on a Windows 2003 Server and got the same result as you, the value
> "3710851" when it should be "-37108517437440". I get the correct value if I
> use ADSIEdit. I also get the correct value if I use a VBScript program. It
> looks like a bug in ldp to me, at least the version that comes with W2k3. I
> searched and found no other reports of this, but found a thread where
> someone pasted the output from ldp and it had this same value.
>

Top

Re: What is value for maxPwdAge in AD (weird value in one of ours)? by Richard

Richard
Fri Apr 25 05:50:24 PDT 2008

The correct value is displayed by ldp if you select "binary" in
Options/General/Value Parsing. The problem is with the custom parser used
for these attributes (maxPwdAge and minPwdAge). For example, a custom parser
converts the pwdLastSet attribute correctly to a date/time in the current
time zone. The parser for these two attributes appear to be handling them as
if they are 32-bit integers rather than 64-bit.

--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--

"ohaya" <ohaya@cox.net> wrote in message
news:eiqkT0opIHA.2064@TK2MSFTNGP05.phx.gbl...
> Richard,
>
> AHH! Ok, I also just ran ldp on a Win2K AD instance, and got the negative
> number.
>
> I guess it (displaying the positive #) is a "feature" in the Win2K3
> ldp.exe :)??
>
> Thanks for helping clear that up!
>
> Jim
>
>
>
>
> Richard Mueller [MVP] wrote:
>> I was testing on a Windows 2000 Server with the version of ldp that comes
>> with the Support Tools for that OS. I got the correct negative value. I
>> repeated on a Windows 2003 Server and got the same result as you, the
>> value "3710851" when it should be "-37108517437440". I get the correct
>> value if I use ADSIEdit. I also get the correct value if I use a VBScript
>> program. It looks like a bug in ldp to me, at least the version that
>> comes with W2k3. I searched and found no other reports of this, but found
>> a thread where someone pasted the output from ldp and it had this same
>> value.
>>
>


Top

Re: What is value for maxPwdAge in AD (weird value in one of ours)? by ohaya

ohaya
Fri Apr 25 14:31:32 PDT 2008

Richard,

Great! Thanks for the info!

Jim



Richard Mueller [MVP] wrote:
> The correct value is displayed by ldp if you select "binary" in
> Options/General/Value Parsing. The problem is with the custom parser used
> for these attributes (maxPwdAge and minPwdAge). For example, a custom parser
> converts the pwdLastSet attribute correctly to a date/time in the current
> time zone. The parser for these two attributes appear to be handling them as
> if they are 32-bit integers rather than 64-bit.
>

Top

Re: What is value for maxPwdAge in AD (weird value in one of ours)? by Richard

Richard
Fri Apr 25 16:14:57 PDT 2008

The value displayed by ldp on W2k3 servers is not in error, just not clear.
It is the max password age in seconds. ldp on W2k8 displays the value as a
duration in dd:hh:mm:ss format. ldp on W2k shows the value in 100-nanosecond
intervals.

--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--

"ohaya" <ohaya@cox.net> wrote in message
news:uNKw4uxpIHA.4292@TK2MSFTNGP04.phx.gbl...
> Richard,
>
> Great! Thanks for the info!
>
> Jim
>
>
>
> Richard Mueller [MVP] wrote:
>> The correct value is displayed by ldp if you select "binary" in
>> Options/General/Value Parsing. The problem is with the custom parser used
>> for these attributes (maxPwdAge and minPwdAge). For example, a custom
>> parser converts the pwdLastSet attribute correctly to a date/time in the
>> current time zone. The parser for these two attributes appear to be
>> handling them as if they are 32-bit integers rather than 64-bit.
>>
>


Top