Set Active Directory \accountExpires\" to \"Never\"


Userlevel 6
Badge +15

Hi folks:

This might be way easier than I think, but I can't find it.

So, I set accountExpires all the time via the "update AD" action - but I've never had to blank it out before.

How do I use that action to set accountExpires to "Never"? 

Thanks!


19 replies

Badge +9

210885_pastedImage_2.png

Userlevel 6
Badge +15

Hmm... interesting, but, that's for the PW ... not for the account itself. Wouldn't you be able to have "password never expires" for an account that is set to expire on dec 31?

Badge +9

Sorry, I didn't read that correctly. Does the date have to be reset or can it simply be a date far into the future?

Userlevel 6
Badge +15

Has to be completely blank, no expiry date at all.

I suppose I could set it to the year 3030 or something but they want it well and truly blank.

Userlevel 6
Badge +15

‌  ‌  ‌  ‌  ‌ 


HAAAAAAAAAAAALP! Haha. (Please!)

Userlevel 7
Badge +11

Set the "accountExpires" property to 9223372036854775807

Userlevel 6
Badge +15

Ah yes in the year 30828! 

I wonder how this displays in Active Directory? Does it appear as blank?

I'm now reading this: 

AD accounts that have been set up to never expire are expiring 

Userlevel 7
Badge +11

I went into AD and set the Account Expires to a date next year.

Then used Update AD User and set the accountExpires to that number. When I looked at the user in AD, it was set to "Never expires".

210947_pastedImage_1.png

Userlevel 6
Badge +15

AMAZING!

My hero, yet again, is the infamous

I thank you, sir.

Badge +6

Now that the problem has been solved... Now I want to know why.

In all seriousness the concept, especially from a security perspective, of an account expiry is sound. So why would you want an account to never expire? My guess would be for a service account or something of that nature or for testing purposes. But, since I'm just as curious as a cat, would you mind sharing?  

Userlevel 7
Badge +11

Glad I could be of service Rhia happy.png

Userlevel 7
Badge +11

Funny you should mention that, because when you were hired, we set your account to expire Nov 24th 2017.

Does anyone really set the accountExpires?  It makes sense if you hire people on contract or if you have an employee who gives notice.  But if you hire FTE's, at the beginning, surely you wouldn't set that field to anything other than Never expires.

I guess in Rhia's situation, it could be that you hired a contractor who had an end date for his contract, and midstream, they were converted to an FTE.

Vadim 

Badge +6

Well oddly enough, having a domain admin account and a workflow, I've remedied that situation.  

Having spent some time in corporate IT (and infrastructure specifically) this is something that was very important to consider. Our temporary contract workers had 6 month expiration on their AD accounts.

But, less anyone's AD OU's fill up with tons of old accounts, expiration is a good policy to enable in group policy and the SAMexpirationdate could be updated for say another 12 months (or more) after a performance review, open enrollment, etc. 

Userlevel 7
Badge +11

Every 12 months... you mean like with a scheduled workflow that controls Performance Reviews? happy.png

Badge +6

Precisely!  happy.png

Userlevel 6
Badge +15

My client hires a LOT of consultants, so expiry dates are a requirement for them. And all of their FTE have no expiry date.

Right now, a process is that if the employee gives a resignation, the workflow will set their AD to expire the day after their departure. However, if they change their mind mid-leave, and decide to stay (oh, you'll give me a $60k raise? Sure, I'll stay!) we then need to clear that expiry.

That's the need, here, and what drove this.

Badge +6

Consultants. Makes perfect sense. Being a stickler, I'd probably still put some sort of expiry on those FTE accounts too... happy.png

Thanks for sharing ‌!

Userlevel 6
Badge +13

Rhia Wieclawek wrote:

However, if they change their mind mid-leave, and decide to stay (oh, you'll give me a $60k raise? Sure, I'll stay!)

Who's your client???? laugh.png

Badge +5

This kind of conversation and sharing made me smile. It is as if I'm sitting in front of you hearing you guys conversing. Thanks for bringing this up too ‌.

Reply