katie_miguel
asked on
where do I set user account to expire after 90 days in group policy?
I have some temp users working on the project, i need to create an OU for them and set up the GPO for the account to expire after 90 days. where do i set this up on GPO, and do i need to write a script to delete the expired accts?
thanks
katie
thanks
katie
If it's a domain account, then you cannot control it at the OU level. Unfortunately, you'll affect the entire org at the domain level. You'll have to set this on the accounts directly and manually.
ASKER
is there a place to set acct expire on the GPO?
Expired accounts should be disabled, so you just need to look for these accounts.
You are best to put them in one OU so that normal disabled accounts are not picked off with the script since you will target only this one OU.
dsquery user "OU=Temp Workers,DC=domain,DC=com" -disabled -s {servername} | dsrm -noprompt -s {servername}
Where "OU=Temp Workers,DC=domain,DC=com" is the DN of the OU in Active Directory where these temp users exist.
and {servername} is the name of one of your DCs.
Make sure this is executed as a Domain Admin.
You are best to put them in one OU so that normal disabled accounts are not picked off with the script since you will target only this one OU.
dsquery user "OU=Temp Workers,DC=domain,DC=com" -disabled -s {servername} | dsrm -noprompt -s {servername}
Where "OU=Temp Workers,DC=domain,DC=com" is the DN of the OU in Active Directory where these temp users exist.
and {servername} is the name of one of your DCs.
Make sure this is executed as a Domain Admin.
To your last post, no.
Domain Accounts are governed by one Account Policy - at the domain level and normally the Default Domain Policy. If you set an expiration there then ALL accounts will expire.
You can run another script against the OU where these accounts live using this:
dsquery user "OU=Temp Workers,DC=domain,DC=com" -name * | dsmod user -acctexpires <number of days>
This should work to set all the accounts to expire in <number of days> and only those accounts in that OU.
Domain Accounts are governed by one Account Policy - at the domain level and normally the Default Domain Policy. If you set an expiration there then ALL accounts will expire.
You can run another script against the OU where these accounts live using this:
dsquery user "OU=Temp Workers,DC=domain,DC=com" -name * | dsmod user -acctexpires <number of days>
This should work to set all the accounts to expire in <number of days> and only those accounts in that OU.
ASKER
so if i run dsquery user "OU=Temp Workers,DC=domain,DC=com" -name * | dsmod user -acctexpires <number of days>, this will set up the acct to expire after the No. of days, not by the date on the acct properties. what's the -name stand for? do i need to put <number of days> in brackets? where do i check if the script works? is there a commend to show it? or it's in the gui? sorry, never done it before, so many questions. if the acct expires, does it mean it disabled?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Oh..if your new OU contains a space in the name, enclose it in quotes in the command.
dsquery OU -name "Temp Workers" -s {servername}
dsquery OU -name "Temp Workers" -s {servername}
ASKER
Sweet, it works. Thanks Netman66. :)
You doubted me?! ;o)
Glad to help.
NM
Glad to help.
NM