[.NET] Detecting password expiry in ADAM (AD LDS)

August 6, 2007 - 15:15 UTC   -   Tags: ADAM password security AD LDS ADAM contains functionality for handling password expiry. This is a property set on the user object, but it's a special kind of property.

ADAM and passwords
By default, ADAM uses the password policy and expiry times as the domain the ADAM server is a member of. If a password expires according to the these policies, the user will no longer be able to log in.

The relevant fields are pwdLastSet and msDS-UserPasswordExpired. As you can guess, pwdLastSet is the date (in form of IADSLargeInteger) of the last password change. If the password has expired, msDS-UserPasswordExpired is set to true. This field is however a constructed field, and will thus not be visible during normal browsing in say LDP.

Detecting password expiry
To detect if the password has expired (or get the value of any constructed property), you have to use the RefreshCache method on the DirectoryEntry object (kudos to Lee Flight).
bool isExpired = false;
if (_userEntry.Properties["msDS-UserPasswordExpired"].Value == null)
{
_userEntry.RefreshCache(new string[] { "msDS-UserPasswordExpired" });
}
if (_userEntry.Properties["msDS-UserPasswordExpired"].Value != null)
{
isExpired = (bool)_userEntry.Properties["msDS-UserPasswordExpired"].Value;
}