Soon to expire password notifier -- error encountered.

Question

We are using the Builtin scheduled task to let our domain users know when their password will expire in the next 2 weeks.
As in ...
If password will expire in less than 14 days AND
account is enabled then
Send e-mail notification (Password Expiration Notification)

It works great for the masses but we find multiple entries in the Event log referencing an error when the task runs.

As in...
Softerra.Adaxes.Adsi.DirectoryComException (0x80004005): Failed to calculate the password expiration date for ''wjpatterson (csu.org\Person\USER)''. ---> Softerra.Adaxes.Adsi.DirectoryComException (0x8007200A): You are not allowed to read 'objectClass' or 'objectGuid'' properties.

We understand that the service account running the task does not have permission to inspect these properties but do not understand why the task needs it.

Part of the puzzle seems to be related to the fact that for the majority of our user profiles, the expiration is computed and is displayed in the lower right of the Account tab of the user properties. For the users with this problem (like wjpatterson, above) the Password section has a N/A in it.

Regards,
Jim

Answer 1

Hello Jim,

The issue is most probably related to Fine-Grained Password Policies. It looks like the account that you used to register the domain in Adaxes does not have sufficient permissions to read the container that stores fine-grained password policies for the domain. The Distinguished Name (DN) of the container is CN=Password Settings Container,CN=System,DC=domain,DC=com, where DC=domain,DC=com is the DN of your domain. The thing is that fine-grained password policies are also taken into account by the Scheduled Task. To be able to calculate the correct password expiration time, in cause if any fine-grained password policies are applied to a user, Adaxes needs to read the policies. To be able to bind to the AD objects that represent the policies, Adaxes needs the Object Class and Object GUID properties of the container that hosts them.

You need to grant that account appropriate permissions to read the container and its child objects.

Comments

THanks for your reply.
Yes, I do understand that if we grant permission to the Adaxes account, it will be able to calculate the expiration using the policy attributes. What is strange is that this problem is happening for a very small number of accounts. For the other 95%, the password expiration is available and Adaxes performs the expiration notification without the need to access the policy attributes. Would you happen to know why Adaxes needs to compute the expiration for a subset of accounts? We don't see any attributes that stand out as unusual with this group.

BTW, we sure don't expect that you could troubleshoot our AD issue through an e-mail exchange. Just wondering if you have some experience that would give us a clue as to where to look.

Thanks
Jim

---

One more thing. Permission was granted to see the CN=Password Settings Container,CN=System,DC=domain,DC=com, where DC=domain,DC=com so I can navigate to that container and see the 'objectClass' and 'objectGuid'' properties. Adaxes still reports the error when I take the Password Policy link from the Password section of the Account Tab of a User Properties form for a few accounts. For all the other accounts, when I click on the link I can see the password policy definition. Any thoughts as to what might affect the policy retrieval based on individual account properties.

---

Hello Jim,

Most probably, fine-grained password policies are not applied to those 95% of users whose password expiration date is available. In such a case, the Default Domain Password Policy is used. The default password policy is stored in the domain object, and to view it, there is no need to access the Password Settings Container.

As for the users whose password expiration date you cannot view, please check that you granted permission to read not only the Password Settings Container, but also its child objects, because fine-grained password policies are stored as child objects under this container. Also, check whether you can view the fine-grained password policies in Adaxes. For information on how to view them, see steps 1-3 in the following help article: http://www.adaxes.com/help/?HowDoI.Mana ... olicy.html.

---

Thanks for your help. I think that clears things up beautifully.
Jim