Florian’s Blog

Okay, this is a question from the newsgroups. It goes something along: “How can I query AD to get to know when a specific account expires?”

Good question. We’re going to check this in a pretty practical way here. First of all, we create a new OU in our _test_ environment. Mine’s called “expireUsers”. I am creating two users for my testing: Alexander Expire (an user account that has set an expire date in its “Account”) and Chistopher N. Expire (who has no expire date specified).

ADUaC looks like this:

Okay now that I know I have a user with a specific expiration date, I’m asking LDP whether it can tell me the correct attribute to query for:

Of course it can. “accountExpires” looks good. For the non-expiring Christopher, we have:

That seems to be a hard-coded value. Note the “(never)” behind the value. AccountExpires still looks good for ours purposes - we’ll take it. Now that we know the attribute we need, we can ask one of our command-line friends for help. I’ll check with ADFind from joeware here:

Stupid me - I forgot that AD keeps storing dates and datetimes a little .. well .. weird. What we see above for Alexander Expire is the number of 100 nanoseconds that have to pass from 1st of January 1601 to the expiry date of his account. I’m not joking. Active Directory stores the time expiry date of a user account by counting the number of 100ns between 1/1/1601 to the date the accounts needs to expire.

Calculating by hand, 128977848000000000 / 10000000 (this is the number of seconds) /60 / 60 (number of hours) / 24 / 365 = 408 (which is the years between 1601 and now - 2009).

As calculating this really sucks, joe did a great job with ADFind: he included the -tdcs switch that converts the time for us:

Ha! Here we go! Now that we have the results that we wanted, you surely would like to know whether it is possible to get all user-accounts that have an expiration date:

More cool stuff on that on joe’s blog:

http://blog.joeware.net/2006/08/11/520/