Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » Re: Integer8 format in password settings
Re: Integer8 format in password settings [message #157691] Sun, 12 July 2009 18:52 Go to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"Dee" <Dee@discussions.microsoft.com> wrote in message
news:1DD3DE41-0832-43E2-8D18-C943F889B3E7@microsoft.com...
> Hello everyone
>
> I am writing this message to make a query in relation to Exercise 2 of Lab
> A
> in Module 8 which is given in the 6419A MOC book. In this exercise, Task 1
> involves creating a PSO using ADSI edit. Integer8 format is used for
> time-based values, but I don't quite understand how to convert days into
> the
> said time-based values. The note at the bottom of page L8-99 says
> 'Integer8
> is a 64-bit number that represents the amount of time, in 100-nanosecond
> in
> intervals'. This sentence does not make sense to me as it is basically
> telling 'an amount time in a time window'. Any clarification and/or
> explanation would be appreciated.
>
> Thank you
> --
> Cheers
>
> Dee


The rest of the "Note" (the part you didn't post) concerning the PSO time
reads as:

"Note: PSO values are time-based values entered using the integer8 format.
Integer8 is a 64-bit number that represents the amount of time, in
100-nanosecond intervals, that has
passed since 12:00 AM January 1, 1601."

I'm not sure why that date was chosen, so I won't be able to answer that if
you ask.

So in reality, if you add all of the nanoseconds since 1/1/1601 to a date of
your choosing, you can come up with the Integer8 attribute equivalent time.
Yes, I know what you're going to say, this is not practical, but in reality,
this is the backbone of Active Directory time management, including password
settings, Outlook calendaring, and much more.

So you would create your fine-grained password policy using ADSIEdit, then
it appears in ADUC\Services\Password Settings Container, Then apply it to a
group, user, etc. Here is more info on it from Technet concerning PSO
(Password Settings Object).

Create a PSO
http://technet.microsoft.com/en-us/library/cc754461(WS.10).aspx

Read what Richard Mueller has to say about it at the following link. He also
has a conversion tool in that link. If Rich reads this posts, I'm sure he
may have additional information to offer that may help.

Integer8 Attributes
http://www.rlmueller.net/Integer8Attributes.htm

Matter of fact, here's another link to Richard's conversion script:
http://info.izzy.org/Technical/Scripting/Lists/Snippets/Disp Form.aspx?ID=2

Since this is more of an AD attribute question, I've cross-posted this to
microsoft.public.windows.server.active_directory in case Richard is not in
the General newsgroup.

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum to benefit from collaboration
among responding engineers, and to help others benefit from your resolution.

Ace Fekay, MCT, MCSE, MCSA 2003 & 2000, MCSA Messaging
Microsoft Certified Trainer
aceman@mvps.RemoveThisPart.org
http://twitter.com/acefekay

For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Re: Integer8 format in password settings [message #157692 is a reply to message #157691] Sun, 12 July 2009 21:43 Go to previous messageGo to next message
rlmueller-nospam  is currently offline rlmueller-nospam  United States
Messages: 292
Registered: July 2009
Senior Member
"Ace Fekay [Microsoft Certified Trainer]" <aceman@mvps.RemoveThisPart.org>
wrote in message news:%23NmB4N0AKHA.5040@TK2MSFTNGP04.phx.gbl...
> "Dee" <Dee@discussions.microsoft.com> wrote in message
> news:1DD3DE41-0832-43E2-8D18-C943F889B3E7@microsoft.com...
>> Hello everyone
>>
>> I am writing this message to make a query in relation to Exercise 2 of
>> Lab A
>> in Module 8 which is given in the 6419A MOC book. In this exercise, Task
>> 1
>> involves creating a PSO using ADSI edit. Integer8 format is used for
>> time-based values, but I don't quite understand how to convert days into
>> the
>> said time-based values. The note at the bottom of page L8-99 says
>> 'Integer8
>> is a 64-bit number that represents the amount of time, in 100-nanosecond
>> in
>> intervals'. This sentence does not make sense to me as it is basically
>> telling 'an amount time in a time window'. Any clarification and/or
>> explanation would be appreciated.
>>
>> Thank you
>> --
>> Cheers
>>
>> Dee
>
>
> The rest of the "Note" (the part you didn't post) concerning the PSO time
> reads as:
>
> "Note: PSO values are time-based values entered using the integer8 format.
> Integer8 is a 64-bit number that represents the amount of time, in
> 100-nanosecond intervals, that has
> passed since 12:00 AM January 1, 1601."
>
> I'm not sure why that date was chosen, so I won't be able to answer that
> if you ask.
>
> So in reality, if you add all of the nanoseconds since 1/1/1601 to a date
> of your choosing, you can come up with the Integer8 attribute equivalent
> time. Yes, I know what you're going to say, this is not practical, but in
> reality, this is the backbone of Active Directory time management,
> including password settings, Outlook calendaring, and much more.
>
> So you would create your fine-grained password policy using ADSIEdit, then
> it appears in ADUC\Services\Password Settings Container, Then apply it to
> a group, user, etc. Here is more info on it from Technet concerning PSO
> (Password Settings Object).
>
> Create a PSO
> http://technet.microsoft.com/en-us/library/cc754461(WS.10).aspx
>
> Read what Richard Mueller has to say about it at the following link. He
> also has a conversion tool in that link. If Rich reads this posts, I'm
> sure he may have additional information to offer that may help.
>
> Integer8 Attributes
> http://www.rlmueller.net/Integer8Attributes.htm
>
> Matter of fact, here's another link to Richard's conversion script:
> http://info.izzy.org/Technical/Scripting/Lists/Snippets/Disp Form.aspx?ID=2
>
> Since this is more of an AD attribute question, I've cross-posted this to
> microsoft.public.windows.server.active_directory in case Richard is not in
> the General newsgroup.
>
> --
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Please reply back to the newsgroup or forum to benefit from collaboration
> among responding engineers, and to help others benefit from your
> resolution.
>
> Ace Fekay, MCT, MCSE, MCSA 2003 & 2000, MCSA Messaging
> Microsoft Certified Trainer
> aceman@mvps.RemoveThisPart.org
> http://twitter.com/acefekay
>
> For urgent issues, you may want to contact Microsoft PSS directly. Please
> check http://support.microsoft.com for regional support phone numbers.
>

As noted, Integer8 dates are represented as the number of 100-nanosecond
intervals since 12:00 AM January 1, 1601. I think 1601 was chosen as the
zero date because the year 1600 was a leap year exception (like the year
2000) and Microsoft wanted to avoid February 29, 1600. 1601 also avoids the
switch from Julian to Gregorian calendars in October 1582, when 10 days were
skipped (although many countries converted much later). Note also that the
dates are in UTC (Coordinated Universal Time, or what used to be called
GMT), so you must use the local time zone bias to convert from local time
(and this bias depends on whether daylight savings is in effect). Some
people have noted that all of this ignores the many leap seconds used over
the years.

Fortunately, time intervals, like minimumPasswordAge, maximumPasswordAge,
lockoutObservationWindow, and lockoutDuration are simply in 100-nanosecond
units. Convert to seconds, then multiply by 10^7 (add 7 zeros). For example,
if minimum password age is 1 day, that is 86400 seconds, so
msDS-MinimumPasswordAge = -864000000000 (the values are negative).

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--
Re: Integer8 format in password settings [message #157693 is a reply to message #157692] Sun, 12 July 2009 22:53 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"Richard Mueller [MVP]" <rlmueller-nospam@ameritech.nospam.net> wrote in
message news:O$uuMt1AKHA.4432@TK2MSFTNGP05.phx.gbl...
>
> As noted, Integer8 dates are represented as the number of 100-nanosecond
> intervals since 12:00 AM January 1, 1601. I think 1601 was chosen as the
> zero date because the year 1600 was a leap year exception (like the year
> 2000) and Microsoft wanted to avoid February 29, 1600. 1601 also avoids
> the switch from Julian to Gregorian calendars in October 1582, when 10
> days were skipped (although many countries converted much later). Note
> also that the dates are in UTC (Coordinated Universal Time, or what used
> to be called GMT), so you must use the local time zone bias to convert
> from local time (and this bias depends on whether daylight savings is in
> effect). Some people have noted that all of this ignores the many leap
> seconds used over the years.
>
> Fortunately, time intervals, like minimumPasswordAge, maximumPasswordAge,
> lockoutObservationWindow, and lockoutDuration are simply in 100-nanosecond
> units. Convert to seconds, then multiply by 10^7 (add 7 zeros). For
> example, if minimum password age is 1 day, that is 86400 seconds, so
> msDS-MinimumPasswordAge = -864000000000 (the values are negative).
>
> --
> Richard Mueller
> MVP Directory Services
> Hilltop Lab - http://www.rlmueller.net


That makes sense why 1601 was picked.

Thanks, Richard!

Ace
Re: Integer8 format in password settings [message #157717 is a reply to message #157692] Mon, 13 July 2009 10:26 Go to previous messageGo to next message
Steve Allen  is currently offline Steve Allen  United States
Messages: 3
Registered: July 2009
Junior Member
On Jul 12, 6:43 pm, "Richard Mueller [MVP]" <rlmueller-
nos...@ameritech.nospam.net> wrote:
> Note also that the
> dates are in UTC (Coordinated Universal Time, or what used to be called
> GMT), so you must use the local time zone bias to convert from local time
> (and this bias depends on whether daylight savings is in effect). Some
> people have noted that all of this ignores the manyleap secondsused over
> the years.

Note that UTC has always been an atomic time scale so nothing with
those characteristics can have existed prior to around 1960. Note
that the Royal Greenwich Observatory did not even receive its charter
to exist until 1675 (new style), so the notion of GMT for 1601 is
equally a fantasy. Note that national governments do not agree on the
number of elapsed seconds since 1972
http://www.ucolick.org/~sla/leapsecs/epochtime.html
Re: Integer8 format in password settings [message #157719 is a reply to message #157717] Mon, 13 July 2009 11:17 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"Steve Allen" <sla29970@gmail.com> wrote in message
news:4d0d95ee-d3c3-47ea-b772-2d3ae62f6e19@p36g2000prn.googlegroups.com...
>
> Note that UTC has always been an atomic time scale so nothing with
> those characteristics can have existed prior to around 1960. Note
> that the Royal Greenwich Observatory did not even receive its charter
> to exist until 1675 (new style), so the notion of GMT for 1601 is
> equally a fantasy. Note that national governments do not agree on the
> number of elapsed seconds since 1972
> http://www.ucolick.org/~sla/leapsecs/epochtime.html

Interesting. That sure complicates it a bit!

Ace
Re: Integer8 format in password settings [message #157746 is a reply to message #157692] Mon, 13 July 2009 23:02 Go to previous messageGo to next message
Dee  is currently offline Dee
Messages: 55
Registered: July 2009
Member
Hello

Thank you for the most insightful comment. Just one more question is whether
there is any particular reason why the values should be negative. What would
happen if you chose positive values?

--
Cheers

Dee


"Richard Mueller [MVP]" wrote:

>
> "Ace Fekay [Microsoft Certified Trainer]" <aceman@mvps.RemoveThisPart.org>
> wrote in message news:%23NmB4N0AKHA.5040@TK2MSFTNGP04.phx.gbl...
> > "Dee" <Dee@discussions.microsoft.com> wrote in message
> > news:1DD3DE41-0832-43E2-8D18-C943F889B3E7@microsoft.com...
> >> Hello everyone
> >>
> >> I am writing this message to make a query in relation to Exercise 2 of
> >> Lab A
> >> in Module 8 which is given in the 6419A MOC book. In this exercise, Task
> >> 1
> >> involves creating a PSO using ADSI edit. Integer8 format is used for
> >> time-based values, but I don't quite understand how to convert days into
> >> the
> >> said time-based values. The note at the bottom of page L8-99 says
> >> 'Integer8
> >> is a 64-bit number that represents the amount of time, in 100-nanosecond
> >> in
> >> intervals'. This sentence does not make sense to me as it is basically
> >> telling 'an amount time in a time window'. Any clarification and/or
> >> explanation would be appreciated.
> >>
> >> Thank you
> >> --
> >> Cheers
> >>
> >> Dee
> >
> >
> > The rest of the "Note" (the part you didn't post) concerning the PSO time
> > reads as:
> >
> > "Note: PSO values are time-based values entered using the integer8 format.
> > Integer8 is a 64-bit number that represents the amount of time, in
> > 100-nanosecond intervals, that has
> > passed since 12:00 AM January 1, 1601."
> >
> > I'm not sure why that date was chosen, so I won't be able to answer that
> > if you ask.
> >
> > So in reality, if you add all of the nanoseconds since 1/1/1601 to a date
> > of your choosing, you can come up with the Integer8 attribute equivalent
> > time. Yes, I know what you're going to say, this is not practical, but in
> > reality, this is the backbone of Active Directory time management,
> > including password settings, Outlook calendaring, and much more.
> >
> > So you would create your fine-grained password policy using ADSIEdit, then
> > it appears in ADUC\Services\Password Settings Container, Then apply it to
> > a group, user, etc. Here is more info on it from Technet concerning PSO
> > (Password Settings Object).
> >
> > Create a PSO
> > http://technet.microsoft.com/en-us/library/cc754461(WS.10).aspx
> >
> > Read what Richard Mueller has to say about it at the following link. He
> > also has a conversion tool in that link. If Rich reads this posts, I'm
> > sure he may have additional information to offer that may help.
> >
> > Integer8 Attributes
> > http://www.rlmueller.net/Integer8Attributes.htm
> >
> > Matter of fact, here's another link to Richard's conversion script:
> > http://info.izzy.org/Technical/Scripting/Lists/Snippets/Disp Form.aspx?ID=2
> >
> > Since this is more of an AD attribute question, I've cross-posted this to
> > microsoft.public.windows.server.active_directory in case Richard is not in
> > the General newsgroup.
> >
> > --
> > Ace
> >
> > This posting is provided "AS-IS" with no warranties or guarantees and
> > confers no rights.
> >
> > Please reply back to the newsgroup or forum to benefit from collaboration
> > among responding engineers, and to help others benefit from your
> > resolution.
> >
> > Ace Fekay, MCT, MCSE, MCSA 2003 & 2000, MCSA Messaging
> > Microsoft Certified Trainer
> > aceman@mvps.RemoveThisPart.org
> > http://twitter.com/acefekay
> >
> > For urgent issues, you may want to contact Microsoft PSS directly. Please
> > check http://support.microsoft.com for regional support phone numbers.
> >
>
> As noted, Integer8 dates are represented as the number of 100-nanosecond
> intervals since 12:00 AM January 1, 1601. I think 1601 was chosen as the
> zero date because the year 1600 was a leap year exception (like the year
> 2000) and Microsoft wanted to avoid February 29, 1600. 1601 also avoids the
> switch from Julian to Gregorian calendars in October 1582, when 10 days were
> skipped (although many countries converted much later). Note also that the
> dates are in UTC (Coordinated Universal Time, or what used to be called
> GMT), so you must use the local time zone bias to convert from local time
> (and this bias depends on whether daylight savings is in effect). Some
> people have noted that all of this ignores the many leap seconds used over
> the years.
>
> Fortunately, time intervals, like minimumPasswordAge, maximumPasswordAge,
> lockoutObservationWindow, and lockoutDuration are simply in 100-nanosecond
> units. Convert to seconds, then multiply by 10^7 (add 7 zeros). For example,
> if minimum password age is 1 day, that is 86400 seconds, so
> msDS-MinimumPasswordAge = -864000000000 (the values are negative).
>
> --
> Richard Mueller
> MVP Directory Services
> Hilltop Lab - http://www.rlmueller.net
> --
>
>
>
Re: Integer8 format in password settings [message #157773 is a reply to message #157746] Tue, 14 July 2009 11:14 Go to previous message
rlmueller-nospam  is currently offline rlmueller-nospam  United States
Messages: 292
Registered: July 2009
Senior Member
Dee wrote:

>
> Thank you for the most insightful comment. Just one more question is
> whether
> there is any particular reason why the values should be negative. What
> would
> happen if you chose positive values?
>

The convention was established long ago to store the password policy values
in AD as negative numbers. Active Directory does not allow you to assign
positive values (other than zero).

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--
Previous Topic:2008 DC cant connect to infrastructure master
Next Topic:Exchange 2003
Goto Forum:
  


Current Time: Sat Oct 21 18:56:24 EDT 2017

Total time taken to generate the page: 0.09257 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software