Support Forum

On the “Habitat AD Passwords Expired” module, is there a way to add a toggleable page that can display all accounts set to “do not expire”? I’m asking because we keep encountering situations where accounts are set not to expire, which goes against our security policy for our customers. We need to be able to quickly and easily identify any users configured this way for remediation. Ideally, this could be implemented within the “AD Passwords Expired” module by adding a toggle to switch between expiring users and a list of “Do not expire” users. You could also add a fifth line and box under “Users with password limits” for “Users WITHOUT password Limits” to show the number of these accounts, along with a toggle button to view that list. This way, we can open Habitat during an audit and quickly check for these users without having to access each server or run scripts.
What do you think? I believe this would be a valuable feature addition to Habitat within the existing “Habitat AD Passwords Expired” module.

Let me look into that, Currently we do not collect users that do not have expirable passwords so we would be to adjust the collector to capture all accounts and a status type to denote the differences between user acc ount types. (Expirable versis Non-Expriable).

Give me a couple of days to review code base and see whats needed to add this request.

Just an update, Im about to release Habitat 1.0.1.64 which will have the first redition of the new Expiry tool that will include seeing all domain admins in their own list and users who have pass does not expire or can not change passwords in their own list.

Screenshots to follow.

Here is the new documentation post for the updated Expiry tool


viewtopic.php?t=6610

Habitat should auto update is set to, tonight with build 1.0.1.64. you can also download it from the plugins4automate web site. Log in with the account that subscribes to Habitat for the latest download URL.

This looks great. That's a huge help in seeing which accounts are misconfigured and therefore aren't using the proper password expirations. The additional details and the admins are also an added benefit, so thanks for all that.

However, it seems there may be a glitch in the calculation, as it's tracking the time since the passwords were last changed instead of their expiration date. Therefore, all accounts are highlighted and in the negative since their last password change, and not based on the number of days remaining or the duration of their expiration. Probably just a minor oversight, but overall, the added changes are fantastic.
Much appreciated.

I will have a peek, We didn't change the process of time in the queries, just added to query to get all users and if user group type had domain admins as a member.

I'll get back with you when I have something.

I am Seeing a similar issue with the AD Passwords Expired since the updated. All users show up as Red for Email Users. Calculations for Days seems to be off. Emails are not being sent. Thank you!

Will be releasing a new update soon. I'll post here when it's released.

Released build 1.0.1.66 today.

Fixes issues with Expiry not producing correct days before password expires. Reset the default status for all tools and updated Chocolatey for Automate inside Habitat.

You can find download here.

https://delivery.shopifyapps.com/-/b1ff ... 82ceb6297e

So it appears to calculate things correctly, however in the older version we were able to select an OU. This doesn't appear possible any longer. So it appears to now just grab all users. We have several larger clients with 1000s of users. Some are users that are Email Only users that do not have computer access and no way to change their password and are left alone. We have some users that are in a Disabled Users OU that are getting pulled into the search as this doesn't exclude disabled users. So targeting the specific OU was pretty helpful before. Not having that for several of our clients will end up causing 1000s of emails for disabled users that will just bounce. Then there is the email only users with no way to change their password that have no AD access email only access that I don't necessarily care that much about.

@cubert