Solved

Active Directory Set User Accounts to Expire

Posted on 2014-02-01
14
1,909 Views
Last Modified: 2014-02-04
I have 300 users within a Location in Ad that I need to set to expire at the end of FEB. 2014.  Is there a script to od this with.  I found two but there sytnaxes show as invalid:

Set-ADAccountExpiration [-Identity] gclinch  [-DateTime] "02/28/2014 5:00:00 PM"

"Error stats Set-ADAccountExpiration is not valid"

Set-ADUser gclinch -AccountExpirationDate "02/28/2014 5:00:00 PM"

"Error stats Set-ADUser is not valid"
0
Comment
Question by:Twhite0909
  • 6
  • 5
  • 3
14 Comments
 
LVL 18

Expert Comment

by:Steven Harris
Comment Utility
Which console are you running this in?  This a PowerShell command.

From PowerShell, try the following syntax:

Set-ADAccountExpiration gclinch -DateTime "02/28/2014 5:00:00 PM"

Open in new window


You should also make sure the AD Modules are loaded in the "Windows Features" pane if you are running remotely, or if they were disabled previously on the server.
0
 

Author Comment

by:Twhite0909
Comment Utility
I am using  "Active Directory Module for powershell" located on my domain controller.  I also tried running the commands fro Exchange 2010 Shell

Now in Ad Module for Poweshell I ran your command and got the following error:

Set-ADAccountExpiration [-Identity] gclinch  [-DateTime] "02/28/2014 5:00:00 PM"

The term 'Set-ADAccountExpiration' is not recognized as the name of a cmdlet, function, script file,
0
 
LVL 18

Expert Comment

by:Steven Harris
Comment Utility
What server are you running?
0
 
LVL 18

Expert Comment

by:Steven Harris
Comment Utility
Try the following commands:

Add-WindowsFeature RSAT-AD_PowerShell

Open in new window


Import-Module ActiveDirectory

Open in new window

0
 
LVL 53

Expert Comment

by:Will Szymkowski
Comment Utility
Seems that your module in not loading properly. Can you try the following command...
get-module

The command above will tell you if the activedirectory module has been installed. based on the errors you are getting it has not installed correctly.

Aside from that you can do this very easily via the GUI. See the screenshot below. Simply hold shift and select all of the users in an OU, right click Properties, click the account tab and set all accounts to expire on a speciifc data.

Account Expires GUI
Account Expires
Will.
0
 

Author Comment

by:Twhite0909
Comment Utility
After running Get-Module I see the following:


ModuleType Name                      ExportedCommands
---------- ----                      ----------------
Manifest   ActiveDirectory           {Set-ADOrganizationalUnit, Get-ADDomainControllerPasswordReplicationPoli...
0
 
LVL 53

Expert Comment

by:Will Szymkowski
Comment Utility
Ok well the ActiveDirectory module appears to be loaded into the session. Did you try the GUI suggestion in my previous post? Does that work for you? Have you checked the event viewer to see if there are any issues in regards to Windows Powershell?

Will.
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 

Author Comment

by:Twhite0909
Comment Utility
OK I got the AD module to import and its now accepting commands., So the cmd:


Set-ADAccountExpiration "user" -DateTime "02/28/2014 5:00:00 PM"

Has just worked successfully.  Now my bigger questions.  Is their a way to run this command against an entire OU in order to set all users within that OU to expire on that date>

Also we use Password Manager from Dell that allows a user that if their PW expired and they need it reset they can go to this Tools weblink and reset themselves.  If I set an Account o expire could they technically use this tool to reset their PW and they have access again or would it require an ADMIN to reset the Expiration date on their account in order for the account to have log on access?

Thanks for all your help guys I really appreciate it.
0
 
LVL 53

Expert Comment

by:Will Szymkowski
Comment Utility
You can use the syntax below to accomplish this...

get-aduser -fliter * -searchbase "OU=testou,dc=domain,dc=com" | Set-ADAccountExpiration "user" -DateTime "02/28/2014 5:00:00 PM"

Open in new window


That should do it.

Will.
0
 

Author Comment

by:Twhite0909
Comment Utility
I dont think it likes the -Filter or -Searchbase?


PS C:\Users\WhiteT> get-aduser -filter * -searchbase OU=charlotte,dc=ad dc=local | Set-ADAccountExpiration "user" -DateTime "02/03/2014 5:00:00 PM"

et-ADUser : Cannot convert 'System.Object[]' to the type 'System.String' required by parameter 'SearchBase'. Specified method is not supported.

At line:1 char:33
+ get-aduser -filter * -searchbase <<<<  OU=charlotte,dc=ad dc=local | Set-ADAccountExpiration "user" -DateTime "02/03/2014 5:00:00 PM"
    + CategoryInfo          : InvalidArgument: (:) [Get-ADUser], ParameterBind
   ingException
    + FullyQualifiedErrorId : CannotConvertArgument,Microsoft.ActiveDirectory.
   Management.Commands.GetADUser
0
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 500 total points
Comment Utility
This worked for me in my test lab with no issues.

See the below syntax i used to accomplish this.
get-aduser -Filter * -SearchBase "ou=testou,dc=upgrade,dc=local" | Set-ADAccountExpiration -DateTime "02/03/2014 5:00:00 PM"

Open in new window


The above should work for you.

Will.
0
 

Author Comment

by:Twhite0909
Comment Utility
I am on my domain controller. I launch Active Directory Module for Windows Powershell and run the below cmd:

get-aduser -Filter * -SearchBase ou=charlotte,dc=ad,dc=local | Set-ADAccountExpiration -DateTime "02/03/2014 5:00:00 PM"

Charlotte is the OU AD.local is th domain.  It comes back every time with  " Cannot convert 'System.Object[]' to the type 'System.String' required by parameter 'SearchBase'. Specified method is not supported."  Is there something wrong with module for Powershell and AD?
0
 
LVL 53

Expert Comment

by:Will Szymkowski
Comment Utility
It is possible as you were encountering issues before when the module was installed. Have you tried putting "qoutes" around the "ou=testou...."?

The command i have posted above earilier worked completely fine on my DC only using the Active Directory Module.

Will.
0
 

Author Comment

by:Twhite0909
Comment Utility
OK The quotes got me 1 step further sorry I thought i removed quotes from examples.  However now it says  "Get-ADUser : Directory Object Not Found

Now my OU I'm trying to reach is under some other OUs  its location in ADUC is

AD.LOCAL/Locations/RSG/Charlotte

Do I need another parameter to drill down?
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Resolve DNS query failed errors for Exchange
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now