Avatar of WellingtonIS
WellingtonIS asked on

Active Directory Expiring Accounts

Is there any way to expire an account at a certain time of day?  I have users 24/7 and I'm looking to cut down on 3 a.m calls.  Is this possible? I found the attribute but I can't figure out  how to change it.  Basically I'm looking to create a date and time and the time is 10:00 a.m
Windows Server 2003Active Directory

Avatar of undefined
Last Comment
WellingtonIS

8/22/2022 - Mon
ddiazp

Not aware of a way to do this - as they expire at the exact time they're set.

What we do is implement password expiration reminder tools to send notices to users a few days before their pwd expires. Also a web app they can access to reset their passwords themselves without having to call. We used AD Self-Service Suite at a 400 user organization
SOLUTION
Mark Mahacek

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
ddiazp

I guess mmahaek is right, you could write a script that detects what account expire today, and set them to expire that day at noon for example. And run that every day as a scheduled task?
ASKER
WellingtonIS

The Set-ADuser name -Accountexpriationdate "xxxxxx" can this be done for individual accounts?
Your help has saved me hundreds of hours of internet surfing.
fblack61
Mark Mahacek

replace NAME with the SAMAccountName, and it has to be run on one account at a time
ASKER
WellingtonIS

I ran Set-ADUser wrmtestaccount -AccountExpirationDate "08/30/2013 10:00 AM"
I got the following error:  The term Set-ADUser is not recognized as the name of a cmdlet, function, script file or operable program...
ASKER CERTIFIED SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER
WellingtonIS

OK trying now
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER
WellingtonIS

ok I ran Set-ADUser wrmirtest -AccountExpirationDate "08/30/2013 10:00 AM" It look like it worked I refreshed AD and in the actual properties of the user in AD it says Thursday, August 29,2013 but in ADSI edit it says 8/30/2013 10:00 a.m. so which is right?
Mark Mahacek

In Users and Computers if you enable View Menu...Advanced Options, it will add more tabs to the user properties window.  You will then be able to see the Attribute Editor and can see the value from there.
ASKER
WellingtonIS

OK the attribute in Active directory uses says Thursday, August 29, 2013 see attached AD.png
ADSI says 8/30/2013 10:00 AM. see attached ADSI.  which one is correct?  Same user
AD.png
adsi.png
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
Mark Mahacek

The ADSI is correct.  The date on the user properties doesn't show time and rounds the date.
ASKER
WellingtonIS

OK I'll check on it in the morning. Thax!
ASKER
WellingtonIS

This worked thanks!
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER
WellingtonIS

Sorry one more thing.  Is there a way to do this for multiple accounts?
Mark Mahacek

You can use the get-aduser to search for the users you want and string the commands together.

Get-aduser username | set-aduser -accountexpirationdate "1/1/2000 12:00pm" is basiclly the same command.   Find the Get command for the users you want then add a pipe and the set command and it will take the results of the first command and use them as an array of objects for the second command.
ASKER
WellingtonIS

so just list the accounts after the |?
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
Mark Mahacek

You would have to use a -filter attribute to select more than one user.

Get-ADUser -filter 'SAMAccountName -like "wrmi*"'

Open in new window


Would look up all users that have an account name that starts with wrmi.  You can modify this query to search on the LDAP fields you want to filter.  You can run Get-ADUser without any options to go into interactive filter mode and test the query you want to find the specific users.  Then take that query and put in in single quotes for the filter attribute in the final command.

A final command would look like this:

Get-ADUser -filter 'SAMAccountName -like "wrmi*"' | Set-ADUser -AccountExpirationDate "08/29/2013 10:00:00 AM"

Open in new window

ASKER
WellingtonIS

Great!  Thanks!