where do I set user account to expire after 90 days in group policy?

I have some temp users working on the project, i need to create an OU for them and set up the GPO for the account to expire after 90 days. where do i set this up on GPO, and do i need to write a script to delete the expired accts?

thanks

katie
katie_miguelAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Netman66Commented:
If it's a domain account, then you cannot control it at the OU level.  Unfortunately, you'll affect the entire org at the domain level.  You'll have to set this on the accounts directly and manually.

0
katie_miguelAuthor Commented:
is there a place to set acct expire on the GPO?
0
Netman66Commented:
Expired accounts should be disabled, so you just need to look for these accounts.

You are best to put them in one OU so that normal disabled accounts are not picked off with the script since you will target only this one OU.


dsquery user "OU=Temp Workers,DC=domain,DC=com" -disabled -s {servername} | dsrm -noprompt -s {servername}


Where "OU=Temp Workers,DC=domain,DC=com" is the DN of the OU in Active Directory where these temp users exist.
and {servername} is the name of one of your DCs.

Make sure this is executed as a Domain Admin.



0
Cloud Class® Course: MCSA MCSE Windows Server 2012

This course teaches how to install and configure Windows Server 2012 R2.  It is the first step on your path to becoming a Microsoft Certified Solutions Expert (MCSE).

Netman66Commented:
To your last post, no.

Domain Accounts are governed by one Account Policy - at the domain level and normally the Default Domain Policy.  If you set an expiration there then ALL accounts will expire.

You can run another script against the OU where these accounts live using this:

dsquery user "OU=Temp Workers,DC=domain,DC=com" -name * | dsmod user -acctexpires <number of days>

This should work to set all the accounts to expire in <number of days> and only those accounts in that OU.



0
katie_miguelAuthor Commented:
so if i run dsquery user "OU=Temp Workers,DC=domain,DC=com" -name * | dsmod user -acctexpires <number of days>, this will set up the acct to expire after the No. of days, not by the date on the acct properties.  what's the -name stand for? do i need to put <number of days> in brackets? where  do i check if the script works? is there a commend to show it? or it's in the gui? sorry, never done it before, so many questions. if the acct expires, does it mean it disabled?
0
Netman66Commented:
Yes.

-name simply instructs the tool to search for names, the * means all names.

Number of days doesn't need brackets.

Create an OU at the top level (just below the domain).  Call it Temp Workers.  If these workers must get all the group policies you set on another OU then you have a choice; 1)  Link the GPOs that need to apply directly to this new OU, or 2) create the OU inside another OU that gets all the policies you desire.

Run this command from a CMD windoe on an XP workstation that has the Support Tools installed.

dsquery OU -name {name of your new OU} -s {servername}

..the result is the exact DN for the OU you will target using my script above.  Simply copy it and paste it in your script in quotes replacing "OU=Temp Workers,DC=domain,DC=com".

Create a few test user accounts in this new OU.   Take note of the expiry date on these new accounts.

Run this from a CMD window:

dsquery user "OU=Temp Workers,DC=domain,DC=com" -name * | dsmod user -acctexpires 30

Check the accounts now and see if the expiry date is 30 days from today - they should all be consistent.

When the account expires, it should be disabled.  My first script should go through your Temp Workers OU and find all disabled accounts then delete them.







0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Netman66Commented:
Oh..if your new OU contains a space in the name, enclose it in quotes in the command.

dsquery OU -name "Temp Workers" -s {servername}

0
katie_miguelAuthor Commented:
Sweet, it works. Thanks Netman66. :)
0
Netman66Commented:
You doubted me?!  ;o)

Glad to help.
NM
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.