Overview #AccountExpires is a Microsoft Active Directory AttributeType and represents the date when a Microsoft Active Directory account expires.
We recommend when an account is created and the account never expires, then set this value to "0".
A value of:
- 0 or
- 0x7FFFFFFFFFFFFFFF (9,223,372,036,854,775,807) indicates that the account never expires.
What we found out was the MMC Account Tab raises an error if it attempts to read the large value. If a user object has an expiration date, and then you remove this date in ADUC by selecting "Never" on the "Account" tab, the GUI sets AccountExpires to 0.
Thus, the values 0 and 2^63 - 1 both really mean "Never".
LDAP (Microsoft Active Directory) Attribute Definition#The AccountExpires AttributeTypes is defined as:
- CN: Account-Expires
- OID of 1.2.840.1135126.96.36.199
- NAME: AccountExpires
- DESC: represents the date when a Microsoft Active Directory account expires.
- SYNTAX: 188.8.131.52
- OMSyntax: 65
- SchemaIDGUID: bf967915-0de6-11d0-a285-00aa003049e2
- USAGE: UserApplications
- Extended Flags:
- Used as MUST in:
- Used as MAY in:
- Windows 2000 Server
- Windows Server 2003
- Windows Server 2003 R2
- Windows Server 2008
Synchronizing with Other Apps #For example, if you set an account in eDirectory, to expire on July 15, 2007, at 5:00 p.m., the last full day this account is valid in Active Directory is July 14.
If you use the Microsoft Management Console to set the account to expire on July 15, 2007, the eDirectory attribute of Login Expiration Time is set to expire on July 16, 2007 at 12:00 a.m. Because the Microsoft Management Console does not allow for a value of time to be set, the default is 12:00 a.m.
Setting the value to "-1" in AD will cause eDirectory to be set to: Feb 7, 2106 1:28:15 AM EST (21060207062815Z).Microsoft Active Directory has never had an expiration date set, the accountExpires attribute is set to 9,223,372,036,854,775,807. The actual value is 2^63 – 1 is because this the largest number that can be saved as a 64-bit value. Obviously this represents a date so far in the future that it cannot be interpreted as anything but never.
AccountExpires are 64-bit numbers (8 bytes) and are also referred to as integer8
In .NET Framework (and PowerShell) these 100-nanosecond intervals are called ticks, equal to one ten-millionth of a second. There are 10,000 ticks per millisecond. In addition, .NET Framework and PowerShell DateTime values represent dates as the number of Tick since 12:00 AM January 1, 0001.
ADSI automatically employs the IADsLargeInteger interface to deal with these 64-bit numbers. This interface has two property methods, HighPart and LowPart, which break the number up into two 32-bit numbers. The HighPart and LowPart property methods return values between -2^31 and 2^31 - 1. The standard method of handling these attributes is demonstrated by this VBScript program to retrieve the domain lockoutDuration value in minutes.MMC Account Tab within the MMC.
More Information #There might be more information for this subject on one of the following:
- Account Expiration
- Active Directory User Related Searches
- Converting AD Times
- MMC Account Tab
- User Access Control