Overview #AccountExpires is a Microsoft Active Directory AttributeType and represents the date when a Microsoft Active Directory account expires.
We recommend when an account is created and the account never expires, then set this value to "0".
A value of:
- 0 or
- 0x7FFFFFFFFFFFFFFF (9,223,372,036,854,775,807) indicates that the account never expires.
What we found out was the MMC Account Tab raises an error if it attempts to read the large value. If a user object has an expiration date, and then you remove this date in ADUC by selecting "Never" on the "Account" tab, the GUI sets AccountExpires to 0.
Thus, the values 0 and 2^63 - 1 both really mean "Never".
LDAP (Microsoft Active Directory) Attribute Definition#The AccountExpires AttributeTypes is defined as:
- CN: Account-Expires
- OID of 1.2.840.1135220.127.116.11
- NAME: AccountExpires
- DESC: represents the date when a Microsoft Active Directory account expires.
- SYNTAX: 18.104.22.168 (LargeInteger or LargeInteger Date)
- OMSyntax: 65
- SchemaIDGUID: bf967915-0de6-11d0-a285-00aa003049e2
- USAGE: UserApplications
- Extended Flags:
- Used as MUST in:
- Used as MAY in:
Synchronization with Other Applications #For example, if you set an account in eDirectory, to expire on July 15, 2007, at 5:00 p.m., the last full day this account is valid in Microsoft Active Directory is July 14.
If you use the Microsoft Management Console to set the account to expire on July 15, 2007, the eDirectory attribute of Login Expiration Time is set to expire on July 16, 2007 at 12:00 a.m. Because the Microsoft Management Console does not allow for a value of time to be set, the default is 12:00 a.m.
Setting the value of AccountExpires to "-1" in AD will cause eDirectory to be set to: Feb 7, 2106 1:28:15 AM EST (21060207062815Z).Microsoft Active Directory has never had an expiration date set, the accountExpires attribute is set to 9,223,372,036,854,775,807. Obviously this represents a date so far in the future that it cannot be interpreted as anything but never. MMC Account Tab within the MMC.
More Information #There might be more information for this subject on one of the following:
- Account Expiration
- Active Directory RISK Related Searches
- Active Directory User Related Searches
- Converting AD Times
- LDAP Object Identifier Descriptors
- MMC Account Tab
- User Access Control