0 votes

We are using the Builtin scheduled task to let our domain users know when their password will expire in the next 2 weeks.
As in ...
If password will expire in less than 14 days AND
account is enabled then
Send e-mail notification (Password Expiration Notification)

It works great for the masses but we find multiple entries in the Event log referencing an error when the task runs.

As in...
Softerra.Adaxes.Adsi.DirectoryComException (0x80004005): Failed to calculate the password expiration date for ''wjpatterson (csu.org\Person\USER)''. ---> Softerra.Adaxes.Adsi.DirectoryComException (0x8007200A): You are not allowed to read 'objectClass' or 'objectGuid'' properties.

We understand that the service account running the task does not have permission to inspect these properties but do not understand why the task needs it.

Part of the puzzle seems to be related to the fact that for the majority of our user profiles, the expiration is computed and is displayed in the lower right of the Account tab of the user properties. For the users with this problem (like wjpatterson, above) the Password section has a N/A in it.

Regards,
Jim

by (20 points)

1 Answer

0 votes
by (216k points)

Hello Jim,

The issue is most probably related to Fine-Grained Password Policies. It looks like the account that you used to register the domain in Adaxes does not have sufficient permissions to read the container that stores fine-grained password policies for the domain. The Distinguished Name (DN) of the container is CN=Password Settings Container,CN=System,DC=domain,DC=com, where DC=domain,DC=com is the DN of your domain. The thing is that fine-grained password policies are also taken into account by the Scheduled Task. To be able to calculate the correct password expiration time, in cause if any fine-grained password policies are applied to a user, Adaxes needs to read the policies. To be able to bind to the AD objects that represent the policies, Adaxes needs the Object Class and Object GUID properties of the container that hosts them.

You need to grant that account appropriate permissions to read the container and its child objects.

0

THanks for your reply.
Yes, I do understand that if we grant permission to the Adaxes account, it will be able to calculate the expiration using the policy attributes. What is strange is that this problem is happening for a very small number of accounts. For the other 95%, the password expiration is available and Adaxes performs the expiration notification without the need to access the policy attributes. Would you happen to know why Adaxes needs to compute the expiration for a subset of accounts? We don't see any attributes that stand out as unusual with this group.

BTW, we sure don't expect that you could troubleshoot our AD issue through an e-mail exchange. Just wondering if you have some experience that would give us a clue as to where to look.

Thanks
Jim

0

One more thing. Permission was granted to see the CN=Password Settings Container,CN=System,DC=domain,DC=com, where DC=domain,DC=com so I can navigate to that container and see the 'objectClass' and 'objectGuid'' properties. Adaxes still reports the error when I take the Password Policy link from the Password section of the Account Tab of a User Properties form for a few accounts. For all the other accounts, when I click on the link I can see the password policy definition. Any thoughts as to what might affect the policy retrieval based on individual account properties.

0

Hello Jim,

Most probably, fine-grained password policies are not applied to those 95% of users whose password expiration date is available. In such a case, the Default Domain Password Policy is used. The default password policy is stored in the domain object, and to view it, there is no need to access the Password Settings Container.

As for the users whose password expiration date you cannot view, please check that you granted permission to read not only the Password Settings Container, but also its child objects, because fine-grained password policies are stored as child objects under this container. Also, check whether you can view the fine-grained password policies in Adaxes. For information on how to view them, see steps 1-3 in the following help article: http://www.adaxes.com/help/?HowDoI.Mana ... olicy.html.

0

Thanks for your help. I think that clears things up beautifully.
Jim

Related questions

0 votes
1 answer

We are evaluating the product and would like to let users of AD to change password in self service page. We would like to set a 90 days change password policy, ... self service page? Is it achievable (with customization and batch program)? Thanks in advance.

asked Apr 27, 2020 by eric (20 points)
0 votes
1 answer

Is it possible to setup a scheduled task for password expiration notifier to send one email a day for accounts whose password will expire in less than X amount of days that have ... expiring on the same day. There will be a lot of emails going at once.

asked Mar 20 by tromanko (330 points)
0 votes
1 answer

I'm using the default builtin password expiration notifier. I have it set to run everyday at 8AM, to check if the password will expire in <7 days, and send an ... saw the task had been running for nearly 24 hours, no completion. What is happening here?

asked Sep 12, 2023 by keecit (60 points)
0 votes
1 answer

I found a really nice password expire notification script on the net at http://www.ehloworld.com/318. I decided to test it ... -ADUserPasswordExpirationDate $user.samaccountname } # $WhatIfPreference = $false Remove-ScriptVariables -path $ScriptPathAndName

asked Feb 27, 2013 by ABrown (70 points)
0 votes
1 answer

When running the script that creates a custom alphabet for the Adaxes spell out feature located here: https://www.adaxes.com/help/AlphabetForPasswordSpellOut/ I receive an error ... changed the language code to "en" and the content of the alphabet object.

asked Mar 23, 2023 by jhicks (20 points)
3,548 questions
3,238 answers
8,232 comments
547,810 users