ITOM / Active Directory User Management Expiry Date

[Sam P]

I wish to set Active Directory account expiry to 12 hours after being generated.  I'm using the Calculate Working Date/Time utility and then formatting the date to the required output to send to AD and this is working fine, however when I check the AD account I notice that the expiry is set to the end of the previous day and there is no scope for the time to be included.  Is there an alternative way to achieve a 12 hour expiry? 

The request could be initiated on any given day / time so should not end at midnight as in theory it could have been requested at 23:55 and still be needed for the full 12 hours, not 5 minutes!  Thanks in advance

[Graham]

Hi @Sam P

So we can best understand what's going on, would you mind clarifying how you're processing the expiry date/time once it's been generated? Are you calling one of the ITOM packages and passing this value as a parameter?

Graham

[Sam P]

Hi @Graham thanks, yes using Active Directory User Management - Update operation.  I'm very new to ITOM (like, 1 week in!) so happy to have some pointers or to understand if there is a different/better way.  Thank you.

[Graham]

Hi @Sam P 

Thanks for the update. It looks like you're doing all the right things, so in the first instance, I think we'll need to take a look at the operations inside the User Update package and make sure those are working as expected.

Graham

[Graham]

Hi @Sam P 

To follow up on this, it's now with the development team and an update to the package is expected early next week.

Graham

[Steve G]

Hi @Sam P,

I've been looking at this date issue this morning, and it is working as documented & expected. Check out the output from the ITOM job for a user that I've created via ITOM, note the datetime that has been set: 

Note how the value I've provided is the same as the accountExpires attribute against the user object in Active Directory:

Now, in the Account Expires section of the Account tab, you'll see that the account expires at midnight the previous day:

This is actually a feature of Active Directory (a hangover from legacy NT domains, apparently), and not an issue with the ITOM package. It's definitely odd, but it is documented on the Microsoft website - see the note section from this article as an example:

This article contains a good explanation of what is going on here too: https://www.rlmueller.net/AccountExpires.htm.

Just a heads-up too, the other enhancements that you asked for are done and are currently in testing, so should be available in the next day or so

Cheers,

Steve

[Sam P]

@Steve G thanks for looking in to this, its a little limiting but cannot be helped.  I'll try and work out how to add 24 hours to the account expiry and do it that way.

5 minutes ago, Steve G said:

the other enhancements that you asked for are done and are currently in testing, so should be available in the next day or so

Again - thanks, look forward to the update.

[Steve G]

Hi @Sam P,

Your requested changes are now available for update in the ITOM Package Library:

Thanks,

Steve

[Sam P]

@Steve G Brilliant! Thanks so much

[Sam P]

• IT Automations for Active Directory User Management. Added the ability to set the Change Password At Logon attribute when creating new User objects.

Could this be extended to the Password Reset operation too @Steve G?  Or an option in the Update operation?

[Steve G]

@Sam P Sure, apologies we should have added it there too. We'll get that done and let you know when it's live.

Cheers,

Steve

[Steve G]

Hi @Sam P,

That's done and released to live, give it 5 minutes and it'll be available in the package library on your instance:

Cheers,

Steve

[Sam P]

@Steve G thanks for your help, this is great