Set-ADAccountExpiration setting shows wrong in ADUC

This topic contains 6 replies, has 5 voices, and was last updated by  edwin arlington 2 months, 3 weeks ago.

  • Author
    Posts
  • #79697

    Ian Hockett
    Participant

    This is probably more of an Active Directory question, but wanted to ask here first in case anyone has experienced this and in case I am doing something incorrect with the PS code.

    I am updating an Active Directory user account expiration date. First I verify it is null:

    Get-ADuser -Identity ZTest -Properties AccountExpirationDate

    Then I change the expiration date:

    Set-ADAccountExpiration -Identity ZTest -DateTime "10/06/17 17:00:00"

    Checking again, and now the setting shows "10/6/2017 5:00:00 PM". Great! However, when I verify the setting in ADUC, it shows that the account is ending at the end of 10/5/17. I'm aware that if you only specify a day and not a time, it will expire the account at midnight and will show up as the date prior. But I am doing something different, and if what ADUC displays is correct, then the account will expire at the end of the day 10/5/17 (midnight) when I actually need it to expire at the end of the business day on 10/6/17.

    If this is beyond the scope of this forum I'll be happy to ask elsewhere if anyone has any suggestions for AD/Powershell related issues.

  • #79715

    Simon B
    Participant
    • #79721

      Ian Hockett
      Participant

      Thank you both. Simon, that link perfectly answers my question.

  • #79718

    Rick
    Participant

    I think it's working as expected. Account expiration does not take a time component. So if you expire the account on 10/6/17 it means the account is valid until 10/5/17 11:59:59. So to allow the account to function through 10/6/17 you would expire it on 10/7/17 which expires it on 10/6/17 at 11:59:59.

  • #79879

    Ron
    Participant

    The expiration date does support a full timestamp, ADUC does not allow you to set it. It shows the last full day where the account will work. You can set it for 5pm on a specific day, you just have to use Powershell or a direct attribute lookup to see or set set the true expiration date/time.

  • #79883

    Rick
    Participant

    Thanks Ron! Didn't even know that. 🙂

  • #79963

    edwin arlington
    Participant

    You could also try Set-ADAccountExpiration cmdlet sets the expiration time for a user, computer or service account.

    Set-ADAccountExpiration [-Identity] [-TimeSpan] [-DateTime] [-AuthType { | }] [-Credential ] [-Partition ] [-PassThru ] [-Server ] [-Confirm] [-WhatIf] []

    Here is related article for your help.

You must be logged in to reply to this topic.