Overview [1]#
Disable-accounts-after-inactivity is a DirXML-Rule which can help with Account Inactivity policy enforcement.If your desire is to expire accounts after some value of inactivity, we thought this was a cool idea on how you could.
When a user performs a login, the Login Time attribute is set. Using this as an event you can then set the Login Expiration Time attribute which will prevent the user from performing a login.
Policy:
<rule> <description>EXPIRE-AFTER-INACTIVE-DAYS</description> <conditions> <and> <if-op-attr name="Login Time" op="changing"/> </and> </conditions> <actions> <do-trace-message> <arg-string> <token-text xml:space="preserve">Logins will expire for this user on: </token-text> <token-convert-time dest-format="!FULL.DATETIME" dest-tz="UTC" offset="$EXPIRE-AFTER-INACTIVE-DAYS$" offset-unit="day" src-format="!CTIME" src-tz="UTC"> <token-op-attr name="Login Time"/> </token-convert-time> </arg-string> </do-trace-message> <do-set-dest-attr-value name="Login Expiration Time"> <arg-value type="time"> <token-convert-time dest-format="!CTIME" dest-tz="UTC" offset="$EXPIRE-AFTER-INACTIVE-DAYS$" offset-unit="day" src-format="!CTIME" src-tz="UTC"> <token-op-attr name="Login Time"/> </token-convert-time> </arg-value> </do-set-dest-attr-value> </actions> </rule>
- 2013-04-10