• State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Subscribers 61 subscribers
  • Views 7159 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Password Last Set on Web Console

Pascal Ergot
over 7 years ago

We have migrate to ARS 7 and do not want anymore to deploy the MMC to user/operators. They should only use the web console.

I've a request from operators: they want the equivalent of the "Additional account Info" tab to the web console.

I've customize the User Properties Form by adding a new Advanced Account info tab and adding different entry on it.

Now I'm stuck on how to add the Password Last Set property. Any help on how to do it would be greatly appreciated.

PS: I've found an old post about this on the forum but the link provided on the resolution is no longer available.

Regards

  • 0 over 7 years ago

    Active Roles computes the "Password Last Set" field based on the PWDLastSet attribute.


    This value is stored in Integer time format, also known as "LDAP/FILETIME".


    For example, 131167085140000000 is the current time of Fri, 26 Aug 2016 18:08:34 GMT

    In order to display this in a friendly format, you would have to script a solution and store the result in a virtual attribute as a string. This virtual attribute would then be displayed.

    The script itself should be fairly simple (unless you want to get into fancy time-zone and DST conversions - that can get pretty messy), and you can have it triggered by a Workflow so that updates to the PWDLastSet automatically fire off the script, which in turn updates your virtual attribute. You might also have to run a script to populate existing Users with a value for the new attribute. PowerShell has some solid time conversion methods, and would be a good choice for this implementation.

  • 0 over 7 years ago

    Terrance is spot on.

    Here's some code for your workflow script activity:

    # Grab the GUID of the user who's password was just changed - $Request is the built-in ARS transaction object

    $MyUser = $Request.GUID

    # Get the friendly version of the LastPwdSet time

    $FriendlyLastPwdSet = ($(get-qaduser -identity $MyUser).passwordlastset).tostring("F")

    ...will yield

    August 26, 2016 06:45:05 PM (or the local language equivalent) ***

    As Terrance suggested, you can take this value and stamp it to a virtual attribute of your own creation - edsvaPwdLastSetFriendly would be a good name. So...

    Set-QADUser -identity $MyUser -proxy -objectattributes @{edsvaPwdLastSetFriendly=$FriendlyLastPwdSet}

     

    *** The "F" in the tostring() method above comes from the table found here:

    msdn.microsoft.com/.../az4se3k1(v=vs.110).aspx

     

     

  • 0 over 7 years ago

    Thanks Terrance and Johhnnyquest for your answers. I'll try to implement it in the following days.

    First I'll have to find how to create a virtual attribute, then the workflow script and finally adding it to the web interface. I'll let you know if I need more help or if I succeed.

  • 0 over 7 years ago

    Thanks to you the solution is in place and working.

    There is one last thing: how do I automatically update the virtual attribute when a user change his password at logon or by pressing CTRL+ALT+DEL? In that case Quest doesn't detect the change and the workflow doesn't fire up.

    I can schedule a task to run every morning but I may still have inaccurate info during the day.

    Thanks for your help.