3

Does any event id generates when user account password gets expired? I was hoping to write a script which triggers through event?

I did look around but did not find anything related to password expiration - only found related to account expiration.

patJR
  • 43
  • 1
  • 3
  • 1
    Would you be open to a Powershell script that would find expired users? – Cory Knutson May 10 '17 at 17:09
  • @CoryKnutson That information is something I already know how to extract. I was hoping to reset expired password as some event Id generates (User by user) rather than reset all the expired account at once. Anyhow, thanks though – patJR May 10 '17 at 17:33
  • 1
    Off the top of my head, the only Event ID I can think of that is close to what you want is 4771. That Event ID is triggered when a user has a login failure. One of the reason codes is "0x17: Password has expired The user’s password has expired". Again, not what you want. I know you want an event id triggered when the user's password has expired. – Art.Vandelay05 May 10 '17 at 18:06
  • @Art.Vandelay05 Awesome. I will look into this ID. Could be useful actually. Reason of what I am trying to do is, we have a environment which is hardly accessed by users so mostly when they do access, their passwords are expired. So right now, I am thinking of a best solution to this issue. Thanks for suggestion. – patJR May 10 '17 at 18:29
  • @patJR Cool. Glad to help out. – Art.Vandelay05 May 10 '17 at 18:43
  • Art.Vandelay05 is right, Windows doesn't log an event just because a password expires. You can intercept a failed logon event like he said, and filter based on the failure reason - which is password expired. The only other option would be to write a script which scans AD or the local account database to find any accounts for which the password is expired. – Lucky Luke May 11 '17 at 15:39
  • @LuckyLuke Yup that is right. For Event 4771, do you know how should I enable this event? What setting in Group policy I mean? I dont see it in event viewer. Thanks – patJR May 11 '17 at 20:49
  • I believe you would need to add the following GP object: Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Account Logon\Audit Credential Validation. Let me know if that works. – Lucky Luke May 12 '17 at 14:25
  • 1
    @LuckyLuke You were really close. Its the /..../Account Logon/Audit Kerberos Authentication Service. This setting generated the 4771. But again, Thanks for helping out. – patJR May 12 '17 at 19:10
  • Awesome, thanks for letting me know, glad it works now! – Lucky Luke May 17 '17 at 23:16

2 Answers2

1

In short, no.

A password expiration isn't really an event that happens. It's a calculation that DCs perform at the moment of authentication based on the attributes on the account and password policies that apply to the account. An account whose password is currently expired might no longer be expired if you change the policies surrounding maximum password age or add a flag that it never expires.

So if you're trying to write a script that does something with accounts who have expired passwords, you're going to have to do it as a point-in-time sort of calculation as well. If your AD is 2008 based or later, you have access to the msDS-UserPasswordExpiryTimeComputed constructed attribute which basically takes into consideration everything that would contribute to a password's expiration and gives you a timestamp of when that user's password will (or has) expired.

Ryan Bolger
  • 16,755
  • 4
  • 42
  • 64
0

Since these are Active Directory users you are talking about, why not query the domain instead of triggering on an event? There are scripts available that will find expiring accounts and even e-mail the user if you like.

I'm not sure what you intend to do once you find an expired password, but this PowerShell query will get you all enabled domain user accounts that have an expired password:

Get-ADUser -Filter {(Enabled -eq $true) -and (PasswordNeverExpires -eq $false)} -Properties PasswordNeverExpires,PasswordExpired | where {$_.PasswordExpired -eq $true}

It would be much easier to loop through the output of that command than running event id task triggers on all of your Domain Controllers (assuming you do have multiple Domain Controllers).

twconnell
  • 902
  • 5
  • 13