Overview #

AccountExpires is a Microsoft Active Directory AttributeType and represents the date when a Microsoft Active Directory account expires.

AccountExpires is similar functionality to PwdEndTime form Draft-behera-ldap-password-policy

We recommend when an account is created and the account never expires, then set this value to "0".

A value of:

• 0 or
• 0x7FFFFFFFFFFFFFFF (9,223,372,036,854,775,807) indicates that the account never expires.
  

After creation you could set the value to any desired value.

What we found out was the MMC Account Tab raises an error if it attempts to read the large value. If a user object has an expiration date, and then you remove this date in ADUC by selecting "Never" on the "Account" tab, the GUI sets AccountExpires to 0.

Thus, the values 0 and 2^63 - 1 both really mean "Never".[1]

LDAP (Microsoft Active Directory) Attribute Definition#

The AccountExpires AttributeTypes is defined as:

• CN: Account-Expires
• OID of 1.2.840.113556.1.4.159
• NAME: AccountExpires
• DESC: represents the date when a Microsoft Active Directory account expires.
• EQUALITY:
• ORDERING:
• SYNTAX: 2.5.5.16 (LargeInteger or LargeInteger Date)
• LOWERBOUND:
• UPPERBOUND:
• OMSyntax: 65
• SchemaIDGUID: bf967915-0de6-11d0-a285-00aa003049e2
• mapiID:
• SINGLE-VALUE
• USAGE: UserApplications
• Extended Flags:
  • X-ORIGIN: MS-ADSA
• X-SYSTEMFLAGS
  • FLAG_SCHEMA_BASE_OBJECT
• X-SCHEMAFLAGSEx
  • FLAG_ATTR_IS_CRITICAL
• X-SEARCH-FLAGS
  • fCOPY
• Used as MUST in:
• Used as MAY in:

Implementations #

• Windows Server 2000
• Windows Server 2003
• ADAM
• Windows Server 2003 R2
• Windows Server 2008

Synchronization with Other Applications #

For example, if you set an account in eDirectory, to expire on July 15, 2007, at 5:00 p.m., the last full day this account is valid in Microsoft Active Directory is July 14.

If you use the Microsoft Management Console to set the account to expire on July 15, 2007, the eDirectory attribute of Login Expiration Time is set to expire on July 16, 2007 at 12:00 a.m. Because the Microsoft Management Console does not allow for a value of time to be set, the default is 12:00 a.m.

Setting the value of AccountExpires to "-1" in AD will cause eDirectory to be set to: Feb 7, 2106 1:28:15 AM EST (21060207062815Z).

Microsoft Active Directory#

If a user object in Microsoft Active Directory has never had an expiration date set, the accountExpires attribute is set to 9,223,372,036,854,775,807. Obviously this represents a date so far in the future that it cannot be interpreted as anything but never.

Several "Date" attributes in Active Directory have a data type (LDAPSyntaxes) called LargeInteger or LDAPWiki use LargeInteger Date and are also referred to as integer8

MMC Account Tab #

The values for this can be set on the MMC Account Tab within the MMC.

More Information #

There might be more information for this subject on one of the following:

• 1.2.840.113556.1.4.159
• Account Expiration
• AccountExpires
• Active Directory RISK Related Searches
• Active Directory User Related Searches
• Converting AD Times
• LDAP Object Identifier Descriptors
• MMC Account Tab
• User
• User Access Control

---

• [#1] - Account Expiration - based on 2013-04-10
• [#2] - Account-Expires attribute - based on 2013-04-10

http://msdn.microsoft.com/en-us/library/windows/desktop/ms675098(v=vs.85).aspx