Active Directory Expiring Accounts

Is there any way to expire an account at a certain time of day?  I have users 24/7 and I'm looking to cut down on 3 a.m calls.  Is this possible? I found the attribute but I can't figure out  how to change it.  Basically I'm looking to create a date and time and the time is 10:00 a.m
WellingtonISAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ddiazpCommented:
Not aware of a way to do this - as they expire at the exact time they're set.

What we do is implement password expiration reminder tools to send notices to users a few days before their pwd expires. Also a web app they can access to reset their passwords themselves without having to call. We used AD Self-Service Suite at a 400 user organization
0
mmahaekCommented:
PowerShell is your friend.

Set-ADUser username -AccountExpirationDate "08/29/2013 10:00:00 AM"

Some details on the AccountExpires attribute: http://msdn.microsoft.com/en-us/library/windows/desktop/ms675098(v=vs.85).aspx
0
ddiazpCommented:
I guess mmahaek is right, you could write a script that detects what account expire today, and set them to expire that day at noon for example. And run that every day as a scheduled task?
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

WellingtonISAuthor Commented:
The Set-ADuser name -Accountexpriationdate "xxxxxx" can this be done for individual accounts?
0
mmahaekCommented:
replace NAME with the SAMAccountName, and it has to be run on one account at a time
0
WellingtonISAuthor Commented:
I ran Set-ADUser wrmtestaccount -AccountExpirationDate "08/30/2013 10:00 AM"
I got the following error:  The term Set-ADUser is not recognized as the name of a cmdlet, function, script file or operable program...
0
mmahaekCommented:
make sure that you are running the AD modules for PowerShell.  
import-module activedirectory
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
WellingtonISAuthor Commented:
OK trying now
0
WellingtonISAuthor Commented:
ok I ran Set-ADUser wrmirtest -AccountExpirationDate "08/30/2013 10:00 AM" It look like it worked I refreshed AD and in the actual properties of the user in AD it says Thursday, August 29,2013 but in ADSI edit it says 8/30/2013 10:00 a.m. so which is right?
0
mmahaekCommented:
In Users and Computers if you enable View Menu...Advanced Options, it will add more tabs to the user properties window.  You will then be able to see the Attribute Editor and can see the value from there.
0
WellingtonISAuthor Commented:
OK the attribute in Active directory uses says Thursday, August 29, 2013 see attached AD.png
ADSI says 8/30/2013 10:00 AM. see attached ADSI.  which one is correct?  Same user
AD.png
adsi.png
0
mmahaekCommented:
The ADSI is correct.  The date on the user properties doesn't show time and rounds the date.
0
WellingtonISAuthor Commented:
OK I'll check on it in the morning. Thax!
0
WellingtonISAuthor Commented:
This worked thanks!
0
WellingtonISAuthor Commented:
Sorry one more thing.  Is there a way to do this for multiple accounts?
0
mmahaekCommented:
You can use the get-aduser to search for the users you want and string the commands together.

Get-aduser username | set-aduser -accountexpirationdate "1/1/2000 12:00pm" is basiclly the same command.   Find the Get command for the users you want then add a pipe and the set command and it will take the results of the first command and use them as an array of objects for the second command.
0
WellingtonISAuthor Commented:
so just list the accounts after the |?
0
mmahaekCommented:
You would have to use a -filter attribute to select more than one user.

Get-ADUser -filter 'SAMAccountName -like "wrmi*"'

Open in new window


Would look up all users that have an account name that starts with wrmi.  You can modify this query to search on the LDAP fields you want to filter.  You can run Get-ADUser without any options to go into interactive filter mode and test the query you want to find the specific users.  Then take that query and put in in single quotes for the filter attribute in the final command.

A final command would look like this:

Get-ADUser -filter 'SAMAccountName -like "wrmi*"' | Set-ADUser -AccountExpirationDate "08/29/2013 10:00:00 AM"

Open in new window

0
WellingtonISAuthor Commented:
Great!  Thanks!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.