K
KurtL
What is the difference between disabling an account and expiring an account?
- Kurt
- Kurt
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.
You should upgrade or use an alternative browser.
H
Herb Martin
account?KurtL said:What is the difference between disabling an account and expiring an
I don't believe there is any functional difference,
except in where you go to re-activate it.
It is mostly conceptual or if you prefer related to
how you arranged it: disabling is about taking
a positive immediate action, and expiration is
about setting up a timer to do it automatically at
some time in the future.
It is almost certainly different attributes on the
account properties (internally to the accounts
database) since there is more information to keep
for expiration.
They are both functionally equivalent to lock-out
too -- but of course that is done by the system in
response to a perceived security threat.
A
Ato Bisda
I always thought accounts were disabled and passwords expired - the latter
resulting in a disabled account if the password were not changed in time.
resulting in a disabled account if the password were not changed in time.
K
KurtL
I know that if an account goes past its expired time the disabled setting is
not set. So they seem to have a similar affect but use different settings.
I am trying to decide which setting to use to manage accounts for employees
who leave. We have to leave the account in place for a specified amount of
time before we can delete it. So I need an easy way to query the AD to find
disabled or expired accounts and when they were placed in that state (for
example fine all disabled or expired accounts that were set over 30 days
ago)
- Kurt
not set. So they seem to have a similar affect but use different settings.
I am trying to decide which setting to use to manage accounts for employees
who leave. We have to leave the account in place for a specified amount of
time before we can delete it. So I need an easy way to query the AD to find
disabled or expired accounts and when they were placed in that state (for
example fine all disabled or expired accounts that were set over 30 days
ago)
- Kurt
A
Ato Bisda
There are separate flags for "password expired" and "account disabled" in
the AD userAccountControl flag as detailed here:
http://support.microsoft.com/default.aspx?kbid=305144&product=winsvr2003
Using the table described in the URL,
an account is disabled IF RIGHT(HEX(userAccountControl),1) = "2", "3", "A",
or "B".
an account has an expired password IF
EITHER LEN(HEX(userAccountControl)) = 6 AND
LEFT(HEX(userAccountControl),1) = "8", "9", "A", "B", "C", "D", "E", or "F")
OR (LEN(HEX(userAccountControl)) = 7 AND
MID(HEX(userAccountControl),2,1) = "8", "9", "A", "B", "C", "D", "E", or
"F" )
the AD userAccountControl flag as detailed here:
http://support.microsoft.com/default.aspx?kbid=305144&product=winsvr2003
Using the table described in the URL,
an account is disabled IF RIGHT(HEX(userAccountControl),1) = "2", "3", "A",
or "B".
an account has an expired password IF
EITHER LEN(HEX(userAccountControl)) = 6 AND
LEFT(HEX(userAccountControl),1) = "8", "9", "A", "B", "C", "D", "E", or "F")
OR (LEN(HEX(userAccountControl)) = 7 AND
MID(HEX(userAccountControl),2,1) = "8", "9", "A", "B", "C", "D", "E", or
"F" )
H
Herb Martin
Ato Bisda said:I always thought accounts were disabled and passwords expired - the latter
resulting in a disabled account if the password were not changed in time.
Many admins never set accounts to expire, but this is an
old capability going back to NT domains.
It is most suitable for (known) temporary workers who
will spend a few months or other limited time with your
company.