I had an email from someone who needed to expire a bunch of userids immediately. They wanted to expire the accounts instead of disabling the accounts because they wanted the change to be “self-documenting” in terms of when it occurred. They also wanted to expire the accounts instead of the passwords because they didn’t want the users to be able to use the accounts and by default, of you expire the password, the user can just change the password, not to mention expiring the passwords wouldn’t be “self-documenting” since when you force a password to be expired you change pwdLastSet to 0. While you could look at the metadata, 90% of your AD admins don’t know that and even still it is more painful and you can’t search on the metadata.[1]
You can easily do this by generating the proper int8 value, searching for the objects with adfind (it was all accounts in a specific OU), and then applying the int8 value to accountExpires attribute of the objects.
Something like
F:\Dev\Current\CPP\AdFind\Release>adfind -enccurrent 0
AdFind V01.43.00cpp **BETA** Joe Richards (joe@joeware.net) February 2011
129416142148710000
and then performing the find and replace…
adfind –default –rb ou=disabletheseusers –s one –f objectclass=user –dsq | admod accountexpires::129416142148710000 –unsafe
There is another way of accomplishing this that has one less step and more generic… Just switch to CSV mode and use the *now_int8* expansion variable.
adfind –default –rb ou=disabletheseusers –s one –f objectclass=user –csv | admod –csv –expand accountexpires::{*now_int8*} –unsafe
This will stamp the users in the OU with the current time as of the running of the command.
What if you wanted these accounts to expire in 14 days instead?
adfind –default –rb ou=disabletheseusers –s one –f objectclass=user –csv | admod –csv –expand accountexpires::{*now_int8*:+d:14} –unsafe
Hope that is useful for you. 🙂
joe
[1] I will write about this more later I think. There is a new feature in the beta of AdFind that I intend to release in the next week that can put you into a position where you can search on metadata though it won’t be real time…