disabled vs expired

Toggle sidebar Toggle sidebar
G

Guest

Guest
Archived from groups: microsoft.public.win2000.active_directory (More info?)

What is the difference between disabling an account and expiring an account?

- Kurt
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.active_directory (More info?)

"KurtL" <KL_OExpress@spamex.com> wrote in message
news:ev1F7buNFHA.3960@TK2MSFTNGP12.phx.gbl...
> What is the difference between disabling an account and expiring an
account?

I don't believe there is any functional difference,
except in where you go to re-activate it.

It is mostly conceptual or if you prefer related to
how you arranged it: disabling is about taking
a positive immediate action, and expiration is
about setting up a timer to do it automatically at
some time in the future.

It is almost certainly different attributes on the
account properties (internally to the accounts
database) since there is more information to keep
for expiration.

They are both functionally equivalent to lock-out
too -- but of course that is done by the system in
response to a perceived security threat.
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.active_directory (More info?)

I always thought accounts were disabled and passwords expired - the latter
resulting in a disabled account if the password were not changed in time.

"KurtL" <KL_OExpress@spamex.com> wrote in message
news:ev1F7buNFHA.3960@TK2MSFTNGP12.phx.gbl...
> What is the difference between disabling an account and expiring an
account?
>
> - Kurt
>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.active_directory (More info?)

I know that if an account goes past its expired time the disabled setting is
not set. So they seem to have a similar affect but use different settings.

I am trying to decide which setting to use to manage accounts for employees
who leave. We have to leave the account in place for a specified amount of
time before we can delete it. So I need an easy way to query the AD to find
disabled or expired accounts and when they were placed in that state (for
example fine all disabled or expired accounts that were set over 30 days
ago)

- Kurt

"Ato Bisda" <atobisda@gmail.com> wrote in message
news:%23JUU$6uNFHA.3668@TK2MSFTNGP14.phx.gbl...
>I always thought accounts were disabled and passwords expired - the latter
> resulting in a disabled account if the password were not changed in time.
>
> "KurtL" <KL_OExpress@spamex.com> wrote in message
> news:ev1F7buNFHA.3960@TK2MSFTNGP12.phx.gbl...
>> What is the difference between disabling an account and expiring an
> account?
>>
>> - Kurt
>>
>>
>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.active_directory (More info?)

"Ato Bisda" <atobisda@gmail.com> wrote in message
news:#JUU$6uNFHA.3668@TK2MSFTNGP14.phx.gbl...
> I always thought accounts were disabled and passwords expired - the latter
> resulting in a disabled account if the password were not changed in time.

Many admins never set accounts to expire, but this is an
old capability going back to NT domains.

It is most suitable for (known) temporary workers who
will spend a few months or other limited time with your
company.

> "KurtL" <KL_OExpress@spamex.com> wrote in message
> news:ev1F7buNFHA.3960@TK2MSFTNGP12.phx.gbl...
> > What is the difference between disabling an account and expiring an
> account?
> >
> > - Kurt
> >
> >
>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.active_directory (More info?)

There are separate flags for "password expired" and "account disabled" in
the AD userAccountControl flag as detailed here:
http://support.microsoft.com/default.aspx?kbid=305144&product=winsvr2003

Using the table described in the URL,

an account is disabled IF RIGHT(HEX(userAccountControl),1) = "2", "3", "A",
or "B".

an account has an expired password IF
EITHER LEN(HEX(userAccountControl)) = 6 AND
LEFT(HEX(userAccountControl),1) = "8", "9", "A", "B", "C", "D", "E", or "F")
OR (LEN(HEX(userAccountControl)) = 7 AND
MID(HEX(userAccountControl),2,1) = "8", "9", "A", "B", "C", "D", "E", or
"F" )


"KurtL" <KL_OExpress@spamex.com> wrote in message
news:%23MnCoZvNFHA.1604@TK2MSFTNGP10.phx.gbl...
> I know that if an account goes past its expired time the disabled setting
is
> not set. So they seem to have a similar affect but use different
settings.
>
> I am trying to decide which setting to use to manage accounts for
employees
> who leave. We have to leave the account in place for a specified amount
of
> time before we can delete it. So I need an easy way to query the AD to
find
> disabled or expired accounts and when they were placed in that state (for
> example fine all disabled or expired accounts that were set over 30 days
> ago)
>
> - Kurt
>
> "Ato Bisda" <atobisda@gmail.com> wrote in message
> news:%23JUU$6uNFHA.3668@TK2MSFTNGP14.phx.gbl...
> >I always thought accounts were disabled and passwords expired - the
latter
> > resulting in a disabled account if the password were not changed in
time.
> >
> > "KurtL" <KL_OExpress@spamex.com> wrote in message
> > news:ev1F7buNFHA.3960@TK2MSFTNGP12.phx.gbl...
> >> What is the difference between disabling an account and expiring an
> > account?
> >>
> >> - Kurt
> >>
> >>
> >
> >
>
>
 
You must log in or register to reply here.

TRENDING THREADS

Latest posts

Moderators online

Share this page

COMPANY
RESOURCES
FOLLOW
Top Bottom