Re: Query for accounts that will expire
- From: "Dean Wells [MVP]" <dwells@xxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 19 Apr 2006 17:02:45 -0400
If I may -- go ahead and post one Joe, I'm quite certain somebody at
some point will benefit even if they don't read this thread in the
immediate future. I assume it'll be only a few lines of code ... just
don't compile it :0)
--
Dean Wells [MVP / Directory Services]
MSEtechnology
[[ Please respond to the Newsgroup only regarding posts ]]
R e m o v e t h e m a s k t o s e n d e m a i l
Joe Kaplan (MVP - ADSI) wrote:
Note also that since .NET has excellent support for Windows filetime
structures, doing this query in .NET is particularly easy too. I
think our upcoming book has a few examples. If that was interesting
to someone here, I could post one.
Joe K.
"Dean Wells [MVP]" <dwells@xxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:egjSvt%23YGHA.5004@xxxxxxxxxxxxxxxxxxxxxxx
Last I checked, this was not as easy as you might hope. The
determination of account expiry is constructed on-the-fly at
authentication time by comparing a windows filetime (a count of the
100ns intervals since Jan. 1, 1601) representation of the current
date/time against the stored account expiry filetime. Simply
stated, this means that the LDAP query has to contain the filetime
value for the date you wish to compare against and, as such, the
query must change as time passes. I have a script that I wrote some
time ago that plugs into the AD
admin. tools through a mechanism called "Display Specifiers" (e.g.
Active Directory Users and Computers) and provides the ability to do
precisely as you ask. I confess I had a some difficulty
manipulating large-integers in a scripting environment incapable of
directly working with anything beyond 32 bits ... thus my math maybe
a tad off :0/ ... but, it's worked well enough for me to this point.
Please post back if 1) you're interested in the script and 2) you
have sufficient technical & political permission to modify the
config. NC of your AD.
Note that the script will run stand-alone but expects the first
argument to be something along the lines of
LDAP://servername.domainname.suffix/CN=Users,DC=domainname,DC=suffix
(i.e. DC FQDN + the base of your query). This can of course be
altered. --
Dean Wells [MVP / Directory Services]
MSEtechnology
[[ Please respond to the Newsgroup only regarding posts ]]
R e m o v e t h e m a s k t o s e n d e m a i l
Filipe wrote:
Hello Guys!
How can I create a query in AD to search users that will have the
account expired in May, for example?
Thanks!
.
- Follow-Ups:
- Re: Query for accounts that will expire
- From: Joe Kaplan \(MVP - ADSI\)
- Re: Query for accounts that will expire
- References:
- Re: Query for accounts that will expire
- From: Dean Wells [MVP]
- Re: Query for accounts that will expire
- From: Joe Kaplan \(MVP - ADSI\)
- Re: Query for accounts that will expire
- Prev by Date: Re: Child Local Administrators
- Next by Date: Re: Need advice: GPO practice for member servers
- Previous by thread: Re: Query for accounts that will expire
- Next by thread: Re: Query for accounts that will expire
- Index(es):
Relevant Pages
|
