Changing account expiration date for multiple active directory accounts

rated by 0 users
This post has 9 Replies | 4 Followers

Not Ranked
Posts 4
caz42767 Posted: 07-25-2011 10:43 AM

Ive been endlessly searching for a script to change the expiration date of multiple users in a particular organizational unit. I havent had much luck, can anyone help?

Top 25 Contributor
Posts 296
Microsoft MVP
Top Contributor

try this

$date = "01/01/2012 00:00:00"

$ou = [adsi]"LDAP://ou=test,dc=manticore,dc=org"

$search = [System.DirectoryServices.DirectorySearcher]$ou
$search.Filter = "(&(objectclass=user)(objectcategory=user))"
$search.SizeLimit = 3000
$results = $search.FindAll()

foreach ($result in $results){

 $target = $result.GetDirectoryEntry()
 $target.AccountExpirationDate = $date
 $target.SetInfo()
}

The date shows the start of a day. The account expires at the end of the previous day.

set the OU, search for all users and set the AccountExpirationDate  - note that it is a string not a date.

On my Windows 2008 R2 system this worked and the correct date was shown in ADSIEdit.  AD Users and Computers showed a date that was 1 day earlier.

 

 

 

Not Ranked
Posts 4

Thank you for your reply. When running your suggestion I got the following error:

 

Exception calling "FindAll" with "0" argument(s): "A referral was returned from the server.

"

At line:1 char:27

+ $results = $search.FindAll <<<< ()

    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException

    + FullyQualifiedErrorId : DotNetMethodException

 

I wish I spoke that language, haha. If this error message is jibbrish for you also let me ask you this, I originally created the accounts in bulk  from a .CSV file. do you know if there is a way to add a column in my .CSV file to set the expiration attribute to 30 days from creation?

Top 25 Contributor
Posts 296
Microsoft MVP
Top Contributor

Did you change the OU to one in your domain?

Not Ranked
Posts 4

I had a typo in my domain, added an extra .edu! It now works, thank you so much for your help!

Top 25 Contributor
Posts 296
Microsoft MVP
Top Contributor

You don't need a column for the date.

All you need to do is include this code when you create the user account

I'm presuming that $user is the user object you are creating - change to match your script

$expiry = (Get-Date).AddDays(30).ToShortDateString()

$user.AccountExpirationDate = $expiry
$user.SetInfo()

 

just a thought - did you use the date in my script?  If you are in the US or somewhere where the convention is month/day/year  

 

Not Ranked
Posts 4

Oh I see, I will try it with this included in the code.

I did use the date in your script, and it works perfect! thanks again.

Not Ranked
Posts 1

Thank you so much for this quick and easy script.  You saved me from having to manually change 600+ accounts in a matter of a few hours.

Not Ranked
Posts 1

Hi

I am also looking out same script, but I am new to this world of powershell. Currently we have set all users account expiry date 90 days from date of creation, after 90 days i have manually login server and change expiry date, it's  time consuming, SO i need your help to make it automatic.

Please share me the script and procedure to execute the script.

 

It will help me lot

 

Regard's

Shivaone

 

 

 

Top 25 Contributor
Posts 170

Shivaone,

 

This code may be useful to you.

 

ForEach ($User in (Get-ADUser -filter * -Properties AccountExpires))
{
# Retrive the date that a user account will Expire as a DateTime object.
$EXPDate= $User |
Select-Object -ExpandProperty AccountExpires |
ForEach-Object {

# If the account is set to never expire, then do not change the date.
If (([double]$User.AccountExpires -ne 9223372036854775807) -and ($User.AccountExpires -gt 0))
{
$Date = [DateTime]$_
Write-output $Date.AddYears(1600).ToLocalTime()

# Set the expiration date for 90 days into the future
$User | Set-ADUser -AccountExpirationDate ((Get-Date).AddDays(90)).Ticks
}
} # End: ForEachObject Loop
} # End: ForEach ($User in (Get-ADUser -filter * -Properties AccountExpires))

 

You will need access to the Active Directory module on the client/server that you are running this script from. This is module is only available on Domain Controllers and clients that have the Remote Server Administration Tools (RSAT) installed. DownloadResults.aspx?q=RSAT  

 

As for scheduling this script to run, take a look at the help files for the cmdlet in the PSScheduledJob module.

Get-Command -Module PSScheduledJob

Only last thing.  This code was created and tested in a Windows 8/2012 environment with PowerShell V3.  If you are using V2, you need to add this line to the beginning of the code.

Import-Moder ActiveDirectory

Page 1 of 1 (10 items) | RSS
Copyright 2012 PowerShell.com. All rights reserved.