Archived from groups: microsoft.public.win2000.active_directory (
More info?)
There are separate flags for "password expired" and "account disabled" in
the AD userAccountControl flag as detailed here:
http://support.microsoft.com/default.aspx?kbid=305144&product=winsvr2003
Using the table described in the URL,
an account is disabled IF RIGHT(HEX(userAccountControl),1) = "2", "3", "A",
or "B".
an account has an expired password IF
EITHER LEN(HEX(userAccountControl)) = 6 AND
LEFT(HEX(userAccountControl),1) = "8", "9", "A", "B", "C", "D", "E", or "F")
OR (LEN(HEX(userAccountControl)) = 7 AND
MID(HEX(userAccountControl),2,1) = "8", "9", "A", "B", "C", "D", "E", or
"F" )
"KurtL" <KL_OExpress@spamex.com> wrote in message
news:%23MnCoZvNFHA.1604@TK2MSFTNGP10.phx.gbl...
> I know that if an account goes past its expired time the disabled setting
is
> not set. So they seem to have a similar affect but use different
settings.
>
> I am trying to decide which setting to use to manage accounts for
employees
> who leave. We have to leave the account in place for a specified amount
of
> time before we can delete it. So I need an easy way to query the AD to
find
> disabled or expired accounts and when they were placed in that state (for
> example fine all disabled or expired accounts that were set over 30 days
> ago)
>
> - Kurt
>
> "Ato Bisda" <atobisda@gmail.com> wrote in message
> news:%23JUU$6uNFHA.3668@TK2MSFTNGP14.phx.gbl...
> >I always thought accounts were disabled and passwords expired - the
latter
> > resulting in a disabled account if the password were not changed in
time.
> >
> > "KurtL" <KL_OExpress@spamex.com> wrote in message
> > news:ev1F7buNFHA.3960@TK2MSFTNGP12.phx.gbl...
> >> What is the difference between disabling an account and expiring an
> > account?
> >>
> >> - Kurt
> >>
> >>
> >
> >
>
>