[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 724
  • Last Modified:

where do I set user account to expire after 90 days in group policy?

I have some temp users working on the project, i need to create an OU for them and set up the GPO for the account to expire after 90 days. where do i set this up on GPO, and do i need to write a script to delete the expired accts?

thanks

katie
0
katie_miguel
Asked:
katie_miguel
  • 6
  • 3
1 Solution
 
Netman66Commented:
If it's a domain account, then you cannot control it at the OU level.  Unfortunately, you'll affect the entire org at the domain level.  You'll have to set this on the accounts directly and manually.

0
 
katie_miguelAuthor Commented:
is there a place to set acct expire on the GPO?
0
 
Netman66Commented:
Expired accounts should be disabled, so you just need to look for these accounts.

You are best to put them in one OU so that normal disabled accounts are not picked off with the script since you will target only this one OU.


dsquery user "OU=Temp Workers,DC=domain,DC=com" -disabled -s {servername} | dsrm -noprompt -s {servername}


Where "OU=Temp Workers,DC=domain,DC=com" is the DN of the OU in Active Directory where these temp users exist.
and {servername} is the name of one of your DCs.

Make sure this is executed as a Domain Admin.



0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
Netman66Commented:
To your last post, no.

Domain Accounts are governed by one Account Policy - at the domain level and normally the Default Domain Policy.  If you set an expiration there then ALL accounts will expire.

You can run another script against the OU where these accounts live using this:

dsquery user "OU=Temp Workers,DC=domain,DC=com" -name * | dsmod user -acctexpires <number of days>

This should work to set all the accounts to expire in <number of days> and only those accounts in that OU.



0
 
katie_miguelAuthor Commented:
so if i run dsquery user "OU=Temp Workers,DC=domain,DC=com" -name * | dsmod user -acctexpires <number of days>, this will set up the acct to expire after the No. of days, not by the date on the acct properties.  what's the -name stand for? do i need to put <number of days> in brackets? where  do i check if the script works? is there a commend to show it? or it's in the gui? sorry, never done it before, so many questions. if the acct expires, does it mean it disabled?
0
 
Netman66Commented:
Yes.

-name simply instructs the tool to search for names, the * means all names.

Number of days doesn't need brackets.

Create an OU at the top level (just below the domain).  Call it Temp Workers.  If these workers must get all the group policies you set on another OU then you have a choice; 1)  Link the GPOs that need to apply directly to this new OU, or 2) create the OU inside another OU that gets all the policies you desire.

Run this command from a CMD windoe on an XP workstation that has the Support Tools installed.

dsquery OU -name {name of your new OU} -s {servername}

..the result is the exact DN for the OU you will target using my script above.  Simply copy it and paste it in your script in quotes replacing "OU=Temp Workers,DC=domain,DC=com".

Create a few test user accounts in this new OU.   Take note of the expiry date on these new accounts.

Run this from a CMD window:

dsquery user "OU=Temp Workers,DC=domain,DC=com" -name * | dsmod user -acctexpires 30

Check the accounts now and see if the expiry date is 30 days from today - they should all be consistent.

When the account expires, it should be disabled.  My first script should go through your Temp Workers OU and find all disabled accounts then delete them.







0
 
Netman66Commented:
Oh..if your new OU contains a space in the name, enclose it in quotes in the command.

dsquery OU -name "Temp Workers" -s {servername}

0
 
katie_miguelAuthor Commented:
Sweet, it works. Thanks Netman66. :)
0
 
Netman66Commented:
You doubted me?!  ;o)

Glad to help.
NM
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 6
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now