WORKAROUND 1
In the Web Interface it is possible to display the Fine-Grained Password Policy's value of password expiration by exposing the attribute msDS-UserPasswordExpiryTimeComputed.
In the Web Interface, do the following:
- Navigate to any user object as an ARS Administrator and select the link Click her to customize this form
- Select Account tab on the left
- Select Password Expires (pwdLastSet) and click Delete on the top menu
- Click Add Entry | Create
- Check both Show all possible properties and Show LDAP display names and find and select msDS-UserPasswordExpiryTimeComputed and then click Next
- In the Entry name ad Entry Description fields enter Password expires.
- Check Render as DATE
- Click Finish
- On the new entry, click Edit and then check Read only
- Click Save
- Click Reload
- Click Exit
- Click Exit
- Click Account tab and confirm that the Fine-Grained Password Policy is showing the true password expiration value
WORKAROUND 2In environments where
msDS-UserPasswordExpiryTimeComputed is not present or does not have a value, it is might be acceptable to post the raw value for pwdLastSet, which will only respect domain password policies.
Follow the steps from Workaround 1 above, but post
pwdLastSet instead of
msDS-UserPasswordExpiryTimeComputed in step 5.
STATUSThe following Enhancement Request was created to possibly correct this in a future version of Active Roles:
Feature 421508: Update process for retrieving password expiry information from Active Directory.