Set Windows/AD password so that it "never expires"?

Question

Here is my code:

using (DirectoryEntry AD = new DirectoryEntry("WinNT://" + Environment.MachineName +    ",computer"))
{
   DirectoryEntry NewUser = AD.Children.Add(username, "user");
   string password = username + "123";
   NewUser.Invoke("SetPassword", new object[] { password });
   NewUser.CommitChanges();
   NewUser.Close();
   DirectoryEntry grp;
   grp = AD.Children.Find(groupname, "group");
   if (grp != null)
    {
      grp.Invoke("Add", new object[] { NewUser.Path.ToString() });
    }
}

And what i want to do is to create a windows user and set the password never expired , But i do not know how to do this ?

Check out this question on how to query for that, it should give you some clues: http://stackoverflow.com/questions/7246945/active-directory-check-if-password-never-expires — Preet Sangha, Jun 14 '12 at 01:36

score 8 · Answer 1 · answered Jun 14 '12 at 05:11

If you're on .NET 3.5 and up, you should check out the System.DirectoryServices.AccountManagement (S.DS.AM) namespace. Read all about it here:

Basically, you can define a machine context and easily create new users on your local server:

// set up machine-level context
using (PrincipalContext ctx = new PrincipalContext(ContextType.Machine))
{
    // create new user
    UserPrincipal newUser = new UserPrincipal(ctx);

    // set some properties
    newUser.SamAccountName = "Sam";
    newUser.DisplayName = "Sam Doe";

    // define new user to be enabled and password never expires
    newUser.Enabled = true;
    newUser.PasswordNeverExpires = true;

    // save new user
    newUser.Save();
}

The new S.DS.AM makes it really easy to play around with users and groups in AD!

score 5 · Accepted Answer · edited Jul 15 '21 at 13:24

5

*EDITED

For domain accounts:

int NON_EXPIRE_FLAG = 0x10000;
val = (int) NewUser.Properties["userAccountControl"].Value;
NewUser.Properties["userAccountControl"].Value = val | NON_EXPIRE_FLAG;
NewUser.CommitChanges();

For local accounts:

I believe you'd use "UserFlags" instead of userAccountControl. Also you would have to use ADS_UF_DONT_EXPIRE_PASSWD flag instead of NON_EXPIRE_FLAG as described in an article by Microsoft

edited Jul 15 '21 at 13:24

rehan

3
4

answered Jun 14 '12 at 04:39

bkr

1,444
1
11
22

I have tried ,but it does not work; Buy the way, the os system is windows server 2003 ? Does it matter? – Leslie Jun 14 '12 at 04:56
Sorry, when get the NewUser.Properties["userAccountControl"].Value , the application throw the System.NullReferenceException.... – Leslie Jun 14 '12 at 05:27
I think for a local account the property is "userFlags" instead of "userAccountControl" (which is for domain accounts) – bkr Jun 14 '12 at 05:54

VnDevil · Answer 3 · 2018-06-30T10:34:13.417

This is my code to resolve this issue:

// Add new user to OU
var username = "testuser_01";
var userDn = "LDAP://yourdomain.local:389/OU=testou,cn=yourdomain,cn=local";
var ouUserEntry = new DirectoryEntry(userDn, "yourAdminUser", "yourAdminPassword", AuthenticationTypes.Secure);
var newUserEntry = ouUserEntry.Children.Add("CN="+ username, "user");
newUserEntry.Properties["sAMAccountName"].Value = username;
newUserEntry.Properties["userPrincipalName"].Value = username + "@abc.com";
newUserEntry.Properties["displayName"].Value = username;

// Commit before enable account
newUserEntry.CommitChanges();

// Set password
newUserEntry.Invoke("SetPassword", "yourUserPassword");

// Enable Account & Password never expired (NORMAL_ACCOUNT | DONT_EXPIRE_PASSWORD)
newUserEntry.Properties["userAccountControl"].Value = 66080; // integer value in image above
newUserEntry.CommitChanges();

Set Windows/AD password so that it "never expires"?

3 Answers3

Linked

Related