Link to home
Start Free TrialLog in
Avatar of WellingtonIS
WellingtonIS

asked on

Active Directory Expiring Accounts

Is there any way to expire an account at a certain time of day?  I have users 24/7 and I'm looking to cut down on 3 a.m calls.  Is this possible? I found the attribute but I can't figure out  how to change it.  Basically I'm looking to create a date and time and the time is 10:00 a.m
Avatar of ddiazp
ddiazp
Flag of Canada image

Not aware of a way to do this - as they expire at the exact time they're set.

What we do is implement password expiration reminder tools to send notices to users a few days before their pwd expires. Also a web app they can access to reset their passwords themselves without having to call. We used AD Self-Service Suite at a 400 user organization
SOLUTION
Avatar of Mark Mahacek
Mark Mahacek
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I guess mmahaek is right, you could write a script that detects what account expire today, and set them to expire that day at noon for example. And run that every day as a scheduled task?
Avatar of WellingtonIS
WellingtonIS

ASKER

The Set-ADuser name -Accountexpriationdate "xxxxxx" can this be done for individual accounts?
replace NAME with the SAMAccountName, and it has to be run on one account at a time
I ran Set-ADUser wrmtestaccount -AccountExpirationDate "08/30/2013 10:00 AM"
I got the following error:  The term Set-ADUser is not recognized as the name of a cmdlet, function, script file or operable program...
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
OK trying now
ok I ran Set-ADUser wrmirtest -AccountExpirationDate "08/30/2013 10:00 AM" It look like it worked I refreshed AD and in the actual properties of the user in AD it says Thursday, August 29,2013 but in ADSI edit it says 8/30/2013 10:00 a.m. so which is right?
In Users and Computers if you enable View Menu...Advanced Options, it will add more tabs to the user properties window.  You will then be able to see the Attribute Editor and can see the value from there.
OK the attribute in Active directory uses says Thursday, August 29, 2013 see attached AD.png
ADSI says 8/30/2013 10:00 AM. see attached ADSI.  which one is correct?  Same user
AD.png
adsi.png
The ADSI is correct.  The date on the user properties doesn't show time and rounds the date.
OK I'll check on it in the morning. Thax!
This worked thanks!
Sorry one more thing.  Is there a way to do this for multiple accounts?
You can use the get-aduser to search for the users you want and string the commands together.

Get-aduser username | set-aduser -accountexpirationdate "1/1/2000 12:00pm" is basiclly the same command.   Find the Get command for the users you want then add a pipe and the set command and it will take the results of the first command and use them as an array of objects for the second command.
so just list the accounts after the |?
You would have to use a -filter attribute to select more than one user.

Get-ADUser -filter 'SAMAccountName -like "wrmi*"'

Open in new window


Would look up all users that have an account name that starts with wrmi.  You can modify this query to search on the LDAP fields you want to filter.  You can run Get-ADUser without any options to go into interactive filter mode and test the query you want to find the specific users.  Then take that query and put in in single quotes for the filter attribute in the final command.

A final command would look like this:

Get-ADUser -filter 'SAMAccountName -like "wrmi*"' | Set-ADUser -AccountExpirationDate "08/29/2013 10:00:00 AM"

Open in new window

Great!  Thanks!