A few more questions for you AD gurus if I may:
1) Is there any setting against an AD account to determine whether it can interactively login or it can’t, if so how can you run a report of which accounts can login, and which cant?
2) Do expired accounts, i.e. those only set up for say 1 month for a temp member of staff, have any symbol by them in AD users and computers, or if not…. how can you identify which accounts are expired (but not disabled). Or if you put a date in account expires, when that date comes around, does it automatically go into “disabled”? I need an accurate list of which accounts are “active”, and which are disabled/expired. And some insight into the difference between expired and disabled.
3) Are there any tools to run a report, for all accounts with non-expiring passwords ONLY, to list the following fields (login name, date of last login, account created date, date password last set)?