Length-based Password Aging

[ToxicDave]

Hey, it's me again.
As I'm very fascinated of this project, I got an idea for the length-based complexity rules.
I thought about an option, where you could set different password ages. (count of days, after which the password has to be changed)

That could be a great opportunity to allow people to still use smaller passwords, but also restricting them by letting their passwords expire faster.

To make this real, maybe the attribute "PwdLastSet" could be used, for example to be set a month before the actual change date. In my understanding, the password would then expire a month earlier.

$ReplaceHashTable = New-Object hashtable
$date = (Get-Date "16.05.2020").ToFileTime()  #Windows NT Time Format
$ReplaceHashTable.Add("PwdLastSet", $date)

Set-ADUser -Identity Dave -Replace $ReplaceHashTable

I tried this powershell commands, but it seems, that this attribute can be changed only to 0 or -1 from an admin.
0 => Password expires now
-1 => Password expires never

A system user may be able to change the attribute. Maybe the service of LPP is also able to do this.

[ryannewington]

I really like this concept. I would be a great addition to the tool as it goes with our ethos of allowing an organization to choose what a good password means to them.

You're right in that via LDAP you can only set pwdLastSet to 0/-1. All other values throw an error. There's no way I've found to adjust this value, no matter who you are. It seems to be set at a very low level, most likely internally in the directory service itself. For all that it is LDAP on the surface, there is a lot of hidden stuff going on underneath.

We'll have to think if there is another way to achieve this without relying on that attribute

[ToxicDave]

I've tried out some possible solutions now.

1. Changing the "pwdLastSet" attribute doesn't work, as already mentioned. The only way to make something up of it would be by turning the attribute to 0.

2. With net user < username > [/domain] you can see the Expiration date.

PS C:\Users\Administrator> net user dave /domain
User name                    dave
Full Name                    David --------
Comment                      
User's comment               
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            16/06/2020 08:18:48
Password expires             16/09/2020 08:18:48
Password changeable          16/06/2020 08:18:48
Password required            Yes
User may change password     Yes
...

But there is no way to change it...

3. I also tried to set the pwexpirationdate with WMIC, but there I only got the possibility to turn on or off, if a password can expire.

WMIC USERACCOUNT WHERE Name='administrator' SET PasswordExpires=FALSE

As I didn't find any solution on changing the "Password expires" (2) attribute, in Powershell I think the only solution would be a list or database within LPP. Then the "pwdLastSet" attribute or the default option on the useraccounts ("User must change password at next logon") needs to be changed by the LPP software or service.
Maybe another programming language could also change this attribute of the "net user"...

[ToxicDave]

Sooo,... I am not really sure what happens with this "issue" now.

Is it a feature request or will it be closed? I would say it's a feature request, but we have to find a way to achieve the goal.

[ryannewington]

@ToxicDave it will stay open as a feature request. I'm working on a new product at the moment, and hope to return to v2 of LPP soon. I'll look at options then.

[Techie4Life83]

Why not just use Fine Grain Password Policies? Isn't this kind of what you are doing already with having different requirements for different lengths of passwords?
https://www.lepide.com/blog/fine-grained-password-policy-best-practices/#:~:text=AD%20supports%20one%20set%20of,a%20separate%20domain%20for%20them.

Create the criteria in Lithnet, have Lithnet create the appropriate FGPPs and corresponding AD groups.
Then when a user submits their password you would remove them from all of the FGPP shadow groups and add them to the appropriate one for the password they put in.
Submit their password to AD after that and BOOM variable length password expiration.