[Samba] query account expired state

Rowland Penny rpenny at samba.org
Sat Oct 28 07:37:32 UTC 2023

On Fri, 27 Oct 2023 23:48:22 +0200
Kees van Vloten via samba <samba at lists.samba.org> wrote:

> Hi Team,
> Is it possible to make a LDAP-query that returns whether an account
> is expired or not?
> I am aware that it is possible to do the maths against the 
> "accountExpires" attribute, but that requires some scripting around
> the query.
> - Kees.

Would that it was so simple.

There is a flag 'ADS_UF_PASSWORD_EXPIRED' in the userAccountControl
attribute, but you would have to obtain the value from that attribute
and check if '8388608' is set, I am not sure if Samba uses this.

Windows has replaced the above with the aptly named
'ms-DS-User-Password-Expired' attribute which, as far as I can tell,
Samba knows nothing about.

So, you are left with a couple of options:
Check if the 'computed' attribute 'msDS-UserPasswordExpiryTimeComputed'
exists and if it does, turn that into a Unix date.
Or calculate the expiry time from the contents of the 'maxPwdAge' and
the accounts 'pwdLastSet' attributes.


More information about the samba mailing list