The account expiration date is stored in the accountExpires attribute and contain a date and time as a 64-bit number, like 126822420000000000.
It is possible to use DsQuery to retrieve all user records, converting accountExpires to a date and time before testing, or you can use a LDAP query to retrieve all the records, but you still have to convert accountExpires to a date and time.
If you use ADFind.exe, you can take advantage of the -binenc and -tdcs switches,like:
adfind -default -nodn -csv -tdcs -binenc -f "&(objectcategory=Person)(accountexpires>=\{\{LOCAL:2002/11/20\}\})(accountexpireswhich produces the following output in my domain:
"distinguishedName","sAMAccountName","accountExpires" "CN=Jane Doe,CN=Users,DC=JSIINC,DC=COM","Jane.Doe","2002/11/21-01:00:00 Eastern Daylight Time" "CN=JohnDoe,OU=OU_TEST,DC=JSIINC,DC=COM","John.Doe","2002/11/20-01:00:00 Eastern Daylight Time"NOTE: Because accountExpires contains date and time, you must search a range of values.
0 comments
Hide comments