Friday, February 14, 2014

AD Account Expiration, search results not giving expected values

I recently ran into a problem when trying to find accounts that were incorrectly set for expiration date, especially searching for accounts that were set to never expire.  The attribute in ActiveDirectory is "accountExpires", however when dealing with AD powershell cmdlets such as Get-ADUser, it is filtered as AccountExpirationDate.  Typically someone may assume that if an account is set to never expire, it should not have a value for this attribute as it is not mandatory.  So a search for Null or Empty on that attribute will give you all of the results.  However, I found in the environment that I was working with, many accounts had the attribute set at some point, but the value was still a value that shows in the GUI tools as "never expires".  In this case, the value is one second above given the maximum calendar date. (Value in attribute: December 30, 9999 12:00:00 AM (GMT)).


[datetime]::maxvalue.ToUniversalTime()
&nbsb &nbsb Friday, December 31, 9999 11:59:59 PM

You can get this value by putting it in with the adjusted current time zone, such as this example of US Central Time:

$forever = [datetime]"12/29/9999 6:00:00 PM"

Using the MaxValue function along with the AddSeconds(1) method will fail.


Alternatively, the AD time format of the value is: 9223372036854775807, so you can do an ldap filter such as:
"(&(objectclass=user)(|(accountexpires=9223372036854775807)(!(accountexpires=*))))"


So when you are trying to find accounts that never expire, you may want to filter in two ways:


1) Attribute is null
2) Attribute is equal to the maximum date value

No comments:

Post a Comment