<meta charset="UTF-8">
<meta name="robots" content="noindex,nofollow" />
<link rel="shortcut icon" type="image/x-icon" href="/wiki/images/favicon.ico" />
<link rel="icon" type="image/x-icon" href="/wiki/images/favicon.ico" />

<pre>
!!! Overview 
[{$pagename}] is a [Microsoft Active Directory] [AttributeType] and represents the date when a [Microsoft Active Directory] account expires. 


[{$pagename}] is similar functionality to [PwdEndTime] form [Draft-behera-ldap-password-policy]

We recommend when an account is created and the account never expires, then set this value to &quot;0&quot;. 

A value of: 
* 0 or 
* 0x7FFFFFFFFFFFFFFF ([9,223,372,036,854,775,807]) indicates that the account never expires. \\
After creation you could set the value to any desired value.

What we found out was the [MMC Account Tab] raises an error if it attempts to read the large value. If a user object has an expiration date, and then you remove this date in [ADUC] by selecting &quot;Never&quot; on the &quot;Account&quot; tab, the GUI sets [{$pagename}] to 0. 

Thus, the values 0 and 2^63 - 1 both really mean &quot;Never&quot;.[1] 

!! [LDAP] ([Microsoft Active Directory]) [Attribute] Definition
The [{$pagename}] [AttributeTypes] is defined as:
* [CN|Cn]: [Account-Expires]
* [OID] of [1.2.840.113556.1.4.159] 
* [NAME|Attribute-Name]: [{$pagename}]
* [DESC]: represents the [date] when a [Microsoft Active Directory] account expires. 
* [EQUALITY]: []
* [ORDERING]: []
* [SYNTAX]: [2.5.5.16] ([LargeInteger] or [LargeInteger Date])
* [LOWERBOUND]:
* [UPPERBOUND]: 
* [OMSyntax]: 65
* [SchemaIDGUID]: [bf967915-0de6-11d0-a285-00aa003049e2]
* [mapiID]: 
* [SINGLE-VALUE]
* [USAGE]: [UserApplications] 
* [Extended Flags]: 
** [X-ORIGIN]: [MS-ADSA]
* [X-SYSTEMFLAGS]
** [FLAG_SCHEMA_BASE_OBJECT]
* [X-SCHEMAFLAGSEx]
** [FLAG_ATTR_IS_CRITICAL]
* [X-SEARCH-FLAGS]
** [fCOPY]
* Used as [MUST] in:
** 
* Used as [MAY] in:
**

! Implementations 
* [Windows Server 2000] 
* [Windows Server 2003] 
* [ADAM] 
* [Windows Server 2003 R2] 
* [Windows Server 2008] 

!! [Synchronization] with Other [Applications] 
For example, if you set an account in [eDirectory], to expire on July 15, 2007, at 5:00 p.m., the last full day this account is valid in [Microsoft Active Directory] is July 14. 

If you use the [Microsoft Management Console] to set the account to expire on July 15, 2007, the eDirectory attribute of [Login Expiration Time] is set to expire on July 16, 2007 at 12:00 a.m. Because the Microsoft Management Console does not allow for a value of [time] to be set, the default is [12:00 a.m.|midnight] 

Setting the value of [{$pagename}] to &quot;-1&quot; in AD will cause [eDirectory] to be set to: Feb 7, 2106 1:28:15 AM EST (21060207062815Z). 

!! [Microsoft Active Directory]
If a user object in [Microsoft Active Directory] has never had an expiration [date] set, the [accountExpires] attribute is set to [9,223,372,036,854,775,807]. Obviously this represents a date so far in the future that it cannot be interpreted as anything but ''__never__''.

Several &quot;Date&quot; attributes in Active Directory have a data type ([LDAPSyntaxes]) called [LargeInteger] or [{$applicationname}] use [LargeInteger Date] and are also referred to as [integer8] 

! [MMC Account Tab] 
The values for this can be set on the [MMC Account Tab] within the [MMC]. 

!! More Information 
There might be more information for this subject on one of the following: 
[{ReferringPagesPlugin before='*' after='\n' }] 
---- 
* [#1] - [Account Expiration|http://www.rlmueller.net/AccountExpires.htm|target='_blank'] - based on 2013-04-10 
* [#2] - [Account-Expires attribute|http://msdn.microsoft.com/en-us/library/windows/desktop/ms675098(v=vs.85).aspx|target='_blank'] - based on 2013-04-10 
http://msdn.microsoft.com/en-us/library/windows/desktop/ms675098(v=vs.85).aspx
</pre>