Solved

Policy to expire accounts on certain date or disable

Posted on 2008-06-26
9
912 Views
Last Modified: 2013-12-04
Hi,

I have a OU.  I would like any account created in this OU to expire 6 months after the creation date or disable the account after six months if this is the only option.

Where I can this in the GPO, if any knows please tell me to save me searching for something that may not even be there.

Many thnanks in advance.
0
Comment
Question by:2326ac
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
9 Comments
 
LVL 31

Accepted Solution

by:
Toni Uranjek earned 168 total points
ID: 21872486
Hi!

Unfortunately expiration date for user account can not be set with GPO, AFAIK.

Toni
0
 
LVL 38

Assisted Solution

by:ChiefIT
ChiefIT earned 166 total points
ID: 21872977
I agree with Toniur:

But, there may be an alternative:

In ADUC>>navigate to the user account>>right click the user account and select properties>>go to the account tab.
At the bottom you can have this account expire at any time you desire.
0
 
LVL 31

Assisted Solution

by:Henrik Johansson
Henrik Johansson earned 166 total points
ID: 21873635
You nead to either set the expire manual in accout properties or through a script.

Not possibly to do what you want through native GPO, but can be done by creating an administrative template for doing the configuration through GPOs and create a schedule task on a DC that runs a script to force the expiration for the users affected by the GPO with the administrative template.
0
Instantly Create Instructional Tutorials

Contextual Guidance at the moment of need helps your employees adopt to new software or processes instantly. Boost knowledge retention and employee engagement step-by-step with one easy solution.

 

Author Comment

by:2326ac
ID: 21876020
Do you know of a script to do this (a sample) or can anyone help point me in the right direction.  Thank you all for your help so far,
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 21879899
There are some good script writers in EE. I just happen to not be one of them.
0
 
LVL 31

Expert Comment

by:Henrik Johansson
ID: 21880286
The simpliest way to solve the problem with automatic expire is to use a CMD-script with the ds-commands from adminpak.msi
Note that the OUBASE-variable nead to escape , and = with ^ (^, ^=).
Add a schedule task to run the script for example once a day.
To use parameters instead of editing the script for future configuration, replace the values for the SET-lines with %~1 (first parameter, ~ allows spaces inside ""), %2 (second parameter)

To handle the configuration through AD (GPO or OU-properties), the script neads to be rewritten in a better scripting language (for example VB or KiX) instead of using CMD-scripting. My earlier thaught about GPO will not work if trying to apply a GPO on a specific OU with users, but can be used like the account policies on domain level and point out what OU shall be managed through the script.
@ECHO OFF
SET OUBASE="OU^=OU-child^,OU^=OU-parent^,DC^=domain^,DC^=com"
SET EXPIREDAYS=180
for /F "tokens=1,2" %%a in ('dsquery user "OUBASE%"^|dsget user -samid -acctexpires^) do (
  if "%%b" == "never" (
    dsquery user -samid %%a|dsmod user -acctexpires "%EXPIREDAYS%"
  )
)

Open in new window

0
 
LVL 10

Expert Comment

by:pand0ra_usa
ID: 22141313
0

Featured Post

Webinar: Aligning, Automating, Winning

Join Dan Russo, Senior Manager of Operations Intelligence, for an in-depth discussion on how Dealertrack, leading provider of integrated digital solutions for the automotive industry, transformed their DevOps processes to increase collaboration and move with greater velocity.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

The term "Bad USB" is a buzz word that is usually used when talking about attacks on computer systems that involve USB devices. In this article, I will show what possibilities modern windows systems (win8.x and win10) offer to fight these attacks wi…
Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question