Q. How can I query all user accounts for a specific account expiration date?

The account expiration date is stored in the accountExpires attribute and contain a date and time as a 64-bit number, like 126822420000000000.

It is possible to use DsQuery to retrieve all user records, converting accountExpires to a date and time before testing, or you can use a LDAP query to retrieve all the records, but you still have to convert accountExpires to a date and time.

If you use ADFind.exe, you can take advantage of the -binenc and -tdcs switches,like:

adfind -default -nodn -csv -tdcs -binenc -f "&(objectcategory=Person)(accountexpires>=\{\{LOCAL:2002/11/20\}\})(accountexpires
which produces the following output in my domain:
"distinguishedName","sAMAccountName","accountExpires"
"CN=Jane Doe,CN=Users,DC=JSIINC,DC=COM","Jane.Doe","2002/11/21-01:00:00 Eastern Daylight Time"
"CN=JohnDoe,OU=OU_TEST,DC=JSIINC,DC=COM","John.Doe","2002/11/20-01:00:00 Eastern Daylight Time"
NOTE: Because accountExpires contains date and time, you must search a range of values.


Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish