Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Active Directory set accountExpires attribute on a User Account using VBScript

1,589 views
Skip to first unread message

Yas

unread,
Aug 18, 2007, 9:26:31 PM8/18/07
to
Hello,

I have a list of sAMAccountNames. I use ADO to find the account in
AD....
The search ends with...
Set objUser = GetObject (objRecordSet.Fields(0).Value)


All I would like to do is set the accountExpires date attribute to
yesterday's date... but I'm quite unfamiliar with this AD attribute
and how to set it using VBScript...the format of the date etc

I guess it would be something like...

objUser.Put accountExpires, <yesterday>


Any help or advise would be greatly appreciated.
Thanks

Yas

Richard Mueller [MVP]

unread,
Aug 18, 2007, 9:59:08 PM8/18/07
to
Yas wrote:

> I have a list of sAMAccountNames. I use ADO to find the account in
> AD....
> The search ends with...
> Set objUser = GetObject (objRecordSet.Fields(0).Value)
>
>
> All I would like to do is set the accountExpires date attribute to
> yesterday's date... but I'm quite unfamiliar with this AD attribute
> and how to set it using VBScript...the format of the date etc
>
> I guess it would be something like...
>
> objUser.Put accountExpires, <yesterday>
>

The accountExpires attribute is Integer8, a 64-bit number representing a
date/time (in UTC) as the number of 100-nanosecond intervals since 12:00 AM
January 1, 1601. VBScript cannot handle 64-bit numbers and cannot assign
values to accountExpires. However, the IADsUser interface exposes the
AccountExpirationDate method (read/write). It accepts regular date/time
values in the local time zone and assigns the appropriate Integer8 value to
the accountExpires attribute. In brief:

objUser.AccountExpirationDate = #9/28/2007 13:00#
objUser.SetInfo

See this link for a discussion of accountExpires, AccountExpirationDate, and
the expiration dates seen in ADUC.

http://www.rlmueller.net/AccountExpires.htm

See this link for a discussion on handling Integer8 attributes in VBScript:

http://www.rlmueller.net/Integer8Attributes.htm

--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--


Yas

unread,
Aug 22, 2007, 6:55:53 AM8/22/07
to
On 19 Aug, 03:59, "Richard Mueller [MVP]" <rlmueller-
nos...@ameritech.nospam.net> wrote:
> Yaswrote:

Thanks Richard very helpful. I have just one question. I wanted to put
a check to see if the AccountExpirationDate is already set so I put
something like...

If IsNull(objUser.AccountExpirationDate) Then

SET AccountExpirationDate
Else
print AccountExpirationDate is already set

But it always goes to Else and the date it prints is 1/1/1601 2:00:00
AM ??

What's that about?

Thanks again

Yas

Richard Mueller [MVP]

unread,
Aug 22, 2007, 4:08:05 PM8/22/07
to
>
>
> Thanks Richard very helpful. I have just one question. I wanted to put
> a check to see if the AccountExpirationDate is already set so I put
> something like...
>
> If IsNull(objUser.AccountExpirationDate) Then
>
> SET AccountExpirationDate
> Else
> print AccountExpirationDate is already set
>
> But it always goes to Else and the date it prints is 1/1/1601 2:00:00
> AM ??
>
> What's that about?
>
> Thanks again
>
> Yas
>

The AccountExpirationDate method has some quirks, which is why I have a page
explaining what I found out about it. 1/1/1601 is the "zero" date. The
method seems to have corrected for your time zone by 2 hours. However, I
thought AccountExpirationDate returned "1/1/1970" in that case (which is a
relic of NT and has no meaning at all).

If the account does not expire, the actual accountExpires attribute can be
either 0 or 2^63-1. In the first case (which corresponds to 12:00 am Jan. 1,
1601), I thought the AccountExpirationDate method returned 1/1/1970. In the
latter case (the largest number that can be saved in a 64-bit register) the
method raises an error. Both mean "never". The value is never Null.

If I understand what you are trying to do, I would expect the following to
work (assuming you have bound the objUser object):
==============
dtmNewValue = #10/31/2007#

On Error Resume Next
dtmExpire = objUser.AccountExpirationDate
If (Err.Number <> 0) Then
' accountExpires must be 2^63-1.
' Account has never had an expiration date.
On Error GoTo 0
objUser.AccountExpirationDate = dtmNewValue
objUser.SetInfo
Else
On Error GoTo 0
If (dtmExpire = #1/1/1970#) Then
' Account is set to never expire.
objUser.AccountExpirationDate = dtmNewValue
objUser.SetInfo
Else
Wscript.Echo "Expiration date is " & CStr(dtmExpire)
End If
End If
===========
This link shows a similar Microsoft solution, where they also test for the
date 1/1/1970:

https://www.microsoft.com/technet/scriptcenter/resources/qanda/sept05/hey0902.mspx

Note they need to retrieve distinguishedName (actually, they retrieve
AdsPath) so they can bind to the object. That's the only way to invoke the
AccountExpirationDate method.

If you actually get the date 1/1/1601 2:00 AM, that complicates things. I've
never heard of this. Maybe the solution would be to change the statement:

If (dtmExpire = #1/1/1970#) Then

to:

If (dtmExpire <= #1/1/1970#) Then

0 new messages