Overview #

AccountExpires is a Microsoft Active Directory AttributeType and represents the date when a Microsoft Active Directory account expires.

AccountExpires is similar functionality to PwdEndTime form Draft-behera-ldap-password-policy

We recommend when an account is created and the account never expires, then set this value to "0".

A value of:

After creation you could set the value to any desired value.

What we found out was the MMC Account Tab raises an error if it attempts to read the large value. If a user object has an expiration date, and then you remove this date in ADUC by selecting "Never" on the "Account" tab, the GUI sets AccountExpires to 0.

Thus, the values 0 and 2^63 - 1 both really mean "Never".[1]

LDAP (Microsoft Active Directory) Attribute Definition#

The AccountExpires AttributeTypes is defined as:

Implementations #

  • Windows 2000 Server
  • Windows Server 2003
  • ADAM
  • Windows Server 2003 R2
  • Windows Server 2008

Synchronizing with Other Apps #

For example, if you set an account in eDirectory, to expire on July 15, 2007, at 5:00 p.m., the last full day this account is valid in Active Directory is July 14.

If you use the Microsoft Management Console to set the account to expire on July 15, 2007, the eDirectory attribute of Login Expiration Time is set to expire on July 16, 2007 at 12:00 a.m. Because the Microsoft Management Console does not allow for a value of time to be set, the default is 12:00 a.m.

Setting the value to "-1" in AD will cause eDirectory to be set to: Feb 7, 2106 1:28:15 AM EST (21060207062815Z).

Microsoft Active Directory#

If a user object in Microsoft Active Directory has never had an expiration date set, the accountExpires attribute is set to 9,223,372,036,854,775,807. The actual value is 2^63 – 1 is because this the largest number that can be saved as a 64-bit value. Obviously this represents a date so far in the future that it cannot be interpreted as anything but never.

Several "Date" attributes in Active Directory have a data type (LDAPSyntaxes) called LargeInteger.

AccountExpires are 64-bit numbers (8 bytes) and are also referred to as integer8

In .NET Framework (and PowerShell) these 100-nanosecond intervals are called ticks, equal to one ten-millionth of a second. There are 10,000 ticks per millisecond. In addition, .NET Framework and PowerShell DateTime values represent dates as the number of Tick since 12:00 AM January 1, 0001.

ADSI automatically employs the IADsLargeInteger interface to deal with these 64-bit numbers. This interface has two property methods, HighPart and LowPart, which break the number up into two 32-bit numbers. The HighPart and LowPart property methods return values between -2^31 and 2^31 - 1. The standard method of handling these attributes is demonstrated by this VBScript program to retrieve the domain lockoutDuration value in minutes.

MMC Account Tab #

The values for this can be set on the MMC Account Tab within the MMC.

More Information #

There might be more information for this subject on one of the following: