Re: Account expiration dates

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

npranger wrote:

> I am looking for ideas on how best to get a report from AD on which user
> accounts are expired at the time the report is run. Any ideas would be
> appreciated.

Hi,

In ADUC, Filter Options, Create custom filter, Customize, on the Advanced
tab you can enter an LDAP query. To query for all user objects where the
accountExpires attribute is a value less than (before) the value for May 26,
2005, use:

(&(objectCategory=person)(objectClass=user)(accountExpires<=1276155720000000
00))

The trick is to find that large magic number. The accountExpires attribute
is Integer8, which is a 64-bit number representing the number of
100-nanosecond intervals since 1/1/1601. I have a program to convert a
date/time to the corresponding Integer8 (64-bit) value linked here:

http://www.rlmueller.net/Programs/DateToInteger8.txt

The date is stored in UTC (Coordinated Universal Time), so the value you get
depends on your time zone. I'm in the Central Time Zone of the US. For this
purpose, I think you can ignore time zone.

Alternatively, you can use a VBScript program that does the same thing. Most
efficient would be to use ADO and retrieve info on the user objects with the
same query as above. Otherwise, you could use the AccountExpirationDate
property method, which retrieves normal dates, but this would require
binding to every user object, which would be much slower if you have many
users. I'll post a VBScript solution after I test it.

--
Richard
Microsoft MVP Scripting and ADSI
Hilltop Lab web site - http://www.rlmueller.net
--


.