Jump to content

ITOM / Active Directory User Management Expiry Date

Sam P

By Sam P
in IT Operations Management

 Share

Recommended Posts

Sam P Experienced

Sam P

Posted
Posted

I wish to set Active Directory account expiry to 12 hours after being generated.  I'm using the Calculate Working Date/Time utility and then formatting the date to the required output to send to AD and this is working fine, however when I check the AD account I notice that the expiry is set to the end of the previous day and there is no scope for the time to be included.  Is there an alternative way to achieve a 12 hour expiry? 

The request could be initiated on any given day / time so should not end at midnight as in theory it could have been requested at 23:55 and still be needed for the full 12 hours, not 5 minutes!  Thanks in advance

image.png.63435a24f9b17bd3d354a80ed8e277a6.pngimage.png.d5fcbe53c201b5f5cdc9b535b33d62d6.pngimage.png.3f6d879cbacc01e762e444b1d142d6af.png

Graham Enthusiast

Graham

Posted
Posted

Hi @Sam P

So we can best understand what's going on, would you mind clarifying how you're processing the expiry date/time once it's been generated? Are you calling one of the ITOM packages and passing this value as a parameter?

Graham

Sam P Experienced

Sam P

Posted
  • Author
Posted

Hi @Graham thanks, yes using Active Directory User Management - Update operation.  I'm very new to ITOM (like, 1 week in!) so happy to have some pointers or to understand if there is a different/better way.  Thank you.

image.png.5e5dc6fa07cf9bf30f234f5bb0d9e8fc.png

Graham Enthusiast

Graham

Posted
Posted

Hi @Sam P 

Thanks for the update. It looks like you're doing all the right things, so in the first instance, I think we'll need to take a look at the operations inside the User Update package and make sure those are working as expected.

Graham

  • Thanks 1
  • 2 weeks later...
Steve G Mentor

Steve G

Posted
Posted

Hi @Sam P,

I've been looking at this date issue this morning, and it is working as documented & expected. Check out the output from the ITOM job for a user that I've created via ITOM, note the datetime that has been set: 

image.png

Note how the value I've provided is the same as the accountExpires attribute against the user object in Active Directory:

image.png

Now, in the Account Expires section of the Account tab, you'll see that the account expires at midnight the previous day:

image.png

This is actually a feature of Active Directory (a hangover from legacy NT domains, apparently), and not an issue with the ITOM package. It's definitely odd, but it is documented on the Microsoft website - see the note section from this article as an example:

image.png

This article contains a good explanation of what is going on here too: https://www.rlmueller.net/AccountExpires.htm.

Just a heads-up too, the other enhancements that you asked for are done and are currently in testing, so should be available in the next day or so :)

Cheers,

Steve

Sam P Experienced

Sam P

Posted
  • Author
Posted

@Steve G thanks for looking in to this, its a little limiting but cannot be helped.  I'll try and work out how to add 24 hours to the account expiry and do it that way.

5 minutes ago, Steve G said:

the other enhancements that you asked for are done and are currently in testing, so should be available in the next day or so

Again - thanks, look forward to the update.

Sam P Experienced

Sam P

Posted
  • Author
Posted
  • IT Automations for Active Directory User Management. Added the ability to set the Change Password At Logon attribute when creating new User objects.

Could this be extended to the Password Reset operation too @Steve G?  Or an option in the Update operation?

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...