Detect a password change within last 5 minutes only - KiXtart.org

You are not logged in. [Log In] KiXtart.org website » Forums » KiXtart » Basic Scripting » Detect a password change within last 5 minutes only

Page 1 of 1

Topic Options

#205815 - 2012-09-26 02:37 PM Detect a password change within last 5 minutes only
ADynes ADynes Starting to like KiXtart Registered: 2003-10-31 Posts: 184 Loc: Ohio	Our company has a unique setup in which we have our own domain with user ID's and passwords and then a "parent" company domain (no trust relationship) that has it's own set of users and passwords. Long story short the User ID's are the same on each side and both sides passwords expire after 90 days. On our side you get your normal "Your password will expire in xx days" prompt and users can just change it. To change the other domain password we go to a website. Problem is a lot of users "forget" as they don't use the other system every day then their accounts get locked out. I would like to prompt the user and ask them if they'd like to visit the password reset site on login. So I was going to use something simple like this: If (@MAXPWAGE-@PWAGE)=90 $MessageResponse=MessageBox("It appears you have just changed your password. Would you like to visit the xxxxx site to change your xxxxx password also?","Password Change Detected",4132,0) If $MessageResponse=6 Run "%comspec% /c start https://password.xxxxxxx.com/" EndIf EndIf Problem is I don't want to "repeat" this prompt if they reboot that day or login early the next day. I found some VB script code that will let me detect down to a minute range how old the current password is but I'm not sure how to implement that (it's attached). Is there a easy way to "track" that I prompted for this? Woudl the easiest way be to store variable with the date in the registry then compare both the password age and make sure the date in the registry doesn't match or is there a way I can get the exact password age down to the minute/second? -Allan Attachments PasswordAge.txt (341 downloads) Description: Password Age VB Script. Rename from .txt to .vbs to run. _________________________ Kixtarter - KiXtart Script Editor http://www.AllanDynes.com/
Top

#205816 - 2012-09-26 02:48 PM Re: Detect a password change within last 5 minutes only [Re: ADynes]
Les Les KiX Master Registered: 2001-06-11 Posts: 12734 Loc: fortfrances.on.ca	The last pwd change value is stored in AD. The problem I see is that the value would only be reliable on the DC the user was authenticated against and it takes time to replicate across the DCs. Not sure if it is also stored immediately on the PDC emulator. _________________________ Give a man a fish and he will be back for more. Slap him with a fish and he will go away forever.
Top

#205817 - 2012-09-26 03:10 PM Re: Detect a password change within last 5 minutes only [Re: Les]
ADynes ADynes Starting to like KiXtart Registered: 2003-10-31 Posts: 184 Loc: Ohio	I believe password change information is replicated immediately so I wouldn't worry too much about that. Is there anything in KiX to get it down to a minute level or should I just "hack" it with a registry value? _________________________ Kixtarter - KiXtart Script Editor http://www.AllanDynes.com/
Top

#205818 - 2012-09-26 03:19 PM Re: Detect a password change within last 5 minutes only [Re: ADynes]
Les Les KiX Master Registered: 2001-06-11 Posts: 12734 Loc: fortfrances.on.ca	Originally Posted By: ADynes I believe password change information is replicated immediately... Ja, to the PDC only AFAIK. The password last changed value can be had through ADSI so go ahead and try to pull it from various DCs. If your users connect to various computers across a vast network after logon where said computers may be using different DCs, then your script may fall down. _________________________ Give a man a fish and he will be back for more. Slap him with a fish and he will go away forever.
Top

#205819 - 2012-09-26 03:22 PM Re: Detect a password change within last 5 minutes only [Re: Les]
Les Les KiX Master Registered: 2001-06-11 Posts: 12734 Loc: fortfrances.on.ca	BTW, searching here for passwordlastchanged will give you lots of hits. _________________________ Give a man a fish and he will be back for more. Slap him with a fish and he will go away forever.
Top

#205820 - 2012-09-26 03:37 PM

Re: Detect a password change within last 5 minutes only [Re: Les]

ADynes Offline

Starting to like KiXtart

Registered: 2003-10-31
Posts: 184
Loc: Ohio

The more I thought about it the more I thought it would be easier to use a registry check. It's the only real way I could think to make sure the user only gets prompted one each password change (unless they change their password twice in one day and if so oh well).

Code:

If (@MAXPWAGE-@PWAGE)=90
	$ReturnCode=ReadValue("HKEY_CURRENT_USER\Software\MyKey","LastPasswordChange")
	If (@ERROR <> 0) OR ($ReturnCode <> @DATE)
		$MessageResponse=MessageBox("It appears you have just changed your Gardiner password.  Would you like to visit the xxxxxxxxsite to change your xxxxxxxx password also?","Password Change Detected",4132,0)
		If $MessageResponse=6
			Run "%comspec% /c start https://Password.xxxxxxxx.com/"
		EndIf
		$ReturnCode=WriteValue("HKEY_CURRENT_USER\Software\MyKey","LastPasswordChange",@DATE,"REG_SZ")
		If $ReturnCode = 0
			? "Value written to the registry"
		EndIf
	EndIf
Else
	? "Maxpwage = " + @MAXPWAGE + ".   PWAGE = " + @PWAGE
EndIf

It works and is simple to follow.

_________________________
Kixtarter - KiXtart Script Editor
http://www.AllanDynes.com/

Top

#205821 - 2012-09-26 07:01 PM Re: Detect a password change within last 5 minutes only [Re: ADynes]
Les Les KiX Master Registered: 2001-06-11 Posts: 12734 Loc: fortfrances.on.ca	Dropping a "cookie" in HKCU would work provided the user doesn't logon to additional resources which of course would have their own separate copies of HKCU. _________________________ Give a man a fish and he will be back for more. Slap him with a fish and he will go away forever.
Top

#205822 - 2012-09-26 07:37 PM Re: Detect a password change within last 5 minutes only [Re: Les]
Les Les KiX Master Registered: 2001-06-11 Posts: 12734 Loc: fortfrances.on.ca	You could drop a cookie or write to an INI file in the user's home drive which would be the same home drive regardless of how many different computers the user logs on to. _________________________ Give a man a fish and he will be back for more. Slap him with a fish and he will go away forever.
Top

#205826 - 2012-09-27 01:15 AM Re: Detect a password change within last 5 minutes only [Re: Les]
Chris S. Chris S. MM club member Registered: 2002-03-18 Posts: 2368 Loc: Earth	Originally Posted By: Les Originally Posted By: ADynes I believe password change information is replicated immediately... Ja, to the PDC only AFAIK. The password last changed value can be had through ADSI so go ahead and try to pull it from various DCs. If your users connect to various computers across a vast network after logon where said computers may be using different DCs, then your script may fall down. No. Password changes are replicated immediately in AD to prevent this type of scenario.
Top

#205827 - 2012-09-27 01:18 AM Re: Detect a password change within last 5 minutes only [Re: Chris S.]
Chris S. Chris S. MM club member Registered: 2002-03-18 Posts: 2368 Loc: Earth	fnLDAPQuery() has some samples of using the pwdlastset property.
Top

Page 1 of 1

Previous Topic View All Topics

Index Next Topic

Moderator: Jochen, Allen, Radimus, Glenn Barnas, ShaneEP, Ruud van Velsen, Arend_, Mart

Hop to:

Shout Box

Search the board with:
superb Board Search
or try with google:

	Web kixtart.org