Re: Create account with an Expiration Date

There is no way to automatically disable the account, unless you run a
script periodically (or a scheduled task). However, once the expiration date
is past, the account cannot be used. There should be no reason to disable
the account.

As I stated before, the accountExpires attribute has a value that
corresponds to the expiration date of the account. The userAccountControl
attribute is not involved, unless you want to check if the account is
disabled.

The only way to create an account so it cannot be used after a specified
date is to assign an account expiration date.

--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--

"dink337" <dink337@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:06B15A03-F611-4FF4-8151-26D4D37E30CC@xxxxxxxxxxxxxxxx
I actually did test that already. Two days ago I created and account set
to
expire yesterday...and just verified that when trying to login with the
account I got a message stating that the account had expired. Looking at
the
account in ADUC, it is not actually disabled, just expired.

After thinking about it, I suppose that it would really meets my needs
since
the user wouldn't be able to login anymore, but I'm still curious if
there's
a way to have it automatically disabled too, not just expired.

Thanks for helping me with this though, I do appreciate the responses.

- Dink

"Dylan" wrote:

I have to believe when you set the expiration date attribe when creating
the
account, it will be disabled at the date you specified. You can test by
creating an account with your script and have it expire tomorrow. Check
back
again and see if it is still disabled. If you are using script to query,
these are the value for UserAccountValue.

ACCOUNTDISABLE 2
LOCKOUT 16
NORMAL_ACCOUNT 512

"dink337" wrote:

Dylan, thanks for the response. I kind of figured that the message
would be
something similar to that.

For the disabling of accounts though, I cant have this done manually
(through ADUC or ADSIE) because of the large number of accounts that
will be
created on an ongoing process. I also dont want to neccessarily run a
script
(scheduled) to see what accounts are expired and have them disabled
through
the script, unless that is my only recourse to get this accomplished.

What I'm really trying to find out is if there's a way to have an
account
created that will automatically get disabled after two weeks. Id there
a
specific flag I have to set to do this, or some attribute I have to
set, can
this be accomplished at all?

- Dink

"Dylan" wrote:

It would say something to the affect of "Account disabled, please
contact
your administrator for assistant".

I don't use a script to disable an account but when I do disable it
in
AD\User and Computer, it stay disabled until I re-enable it.

"dink337" wrote:

Hopefully someone here can answer a couple questions for me.

I'm working on an application that is designed to create on-demand
accounts
that are of a temporary nature (they will only be used for a period
of 2
weeks). The idea is that after 2 weeks, the accounts will be
disabled.

So, my questions are these:
What exactly happens to an account when you set it to have an
expiration
date (not password expiration, but account expiration)? What will
the user
see if they attempt to login to an account that has expired?

Is there a way to have the account automatically get disabled after
it has
expired? I have developed the code (c#) for creating an account
that
includes setting the expiration date, but from what I've read,
apparently
once the date has passed, the account doesn't actually get
disabled, so how
can I have this automated somehow (if there even is a way, aside
from running
a scheduled task that periodically looks for accounts that have
expired and
manually runs through and disables them)?

Thanks in advance for any help offered,

- Dink


.

Relevant Pages

  • Re: Set Account Expiration Date for group in domain.
    ... I want to have each user from group_3 get disabled his account every 3 ... I think you mean password expiration date rather than account expiration ... applies to all users (if their passwords expire). ... would also have to be done with a script that runs on that day. ...
    (microsoft.public.windows.server.scripting)
  • Re: Set Account Expiration Date for group in domain.
    ... I want to have each user from group_3 get disabled his account every 3 ... An account can have only one expiration date, ... applies to all users (if their passwords expire). ... would also have to be done with a script that runs on that day. ...
    (microsoft.public.windows.server.scripting)
  • RE: Scavanging retired machine accounts
    ... Here's a script I wrote a while back that does exactly what you want. ... 'pull back a list of every user's account name and distinguished name ... we're probably only interested in the disabled computer accounts ... 'There is no point disabling PCs based on how many weeks it's been since the ...
    (microsoft.public.windows.server.scripting)
  • Re: "Enabling" an already enabled user account?
    ... Is that user having problems in all machines or just that one? ... (Logon failure: account currently disabled. ... see Help and Support Center at ... > I've tried actually disabling the account and then re-enabling and with ...
    (microsoft.public.windows.server.active_directory)
  • Re: Error Code!
    ... > When I need to force logoff for a user, after the disabling of the ... > account, nothing is work. ... If you have tried to script the logging off of the remote user, ...
    (microsoft.public.scripting.vbscript)
Quantcast