pingcastle icon indicating copy to clipboard operation
pingcastle copied to clipboard
verified publisher icon vletoux

reports "msDS-ExpirePasswordsOnSmartCardOnlyAccounts is not set" although it set correctly in AD

Open int-red opened this issue 6 months ago • 0 comments

PingCastle 3.4.1.38 reports "msDS-ExpirePasswordsOnSmartCardOnlyAccounts is not set" although this attribute it set correctly to TRUE in the Active Directory configuration.

This powershell script reports the AD configuration

` $rootDN = (Get-ADRootDSE).configurationNamingContext $dirServicePath = "CN=Directory Service,CN=Windows NT,CN=Services,$rootDN"

Get-ADObject -Identity $dirServicePath -Properties msDS-ExpirePasswordsOnSmartCardOnlyAccounts | Select-Object DistinguishedName, msDS-ExpirePasswordsOnSmartCardOnlyAccounts `

as

` DistinguishedName msDS-ExpirePasswordsOnSmartCardOnlyAccounts

CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=CONTOSO,DC=COM True `

which shows msDS-ExpirePasswordsOnSmartCardOnlyAccounts is set corretly (domain name was obfuscated by me).

int-red avatar Aug 07 '25 08:08 int-red