Sign-in / Sign-up
Your question

Is it possible to determine the date an account is enabled

Tags:
  • Microsoft
  • Active Directory
  • Windows
Last response: in Windows 2000/NT
Anonymous
April 27, 2005 9:19:50 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hi, I have a script that runs over all users in an OU, and if they
have not signed on for 7 days, the account is disabled.

This is working fine, however, if the account is re-enabled but the
users does not signon before the script is run again, the account is
once again disabled.

OK so it is working as expected, I have now been asked if it is
possible to determine when an account was re-enabled and allow a grace
period before the account is disabled.

Other than checking the whenChanged value, is there some other way to
determine when an account has been enabled?
Could checking the whenChanged value produce misleading results?

Thank You
Doug Gelling
Systems Support.

More about : determine date account enabled

Anonymous
April 28, 2005 2:02:54 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Joe, thank you for your reply.
I assumed, given the name, that the value would be updated for any
change, but thought I would check to see if there was anyother way of
doing what I wanted.

May have to look at some other option, or maybe go with the whenChanged
object and hope for the best.

Doug
Anonymous
April 28, 2005 3:13:21 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Yes it could produce misleading results as that value is updated for any change
on the object.

There is no definitive piece of info on the user object to say when it was
enabled, the best is looking at the metadata of the userAccountControl but since
that attribute holds the flags for many settings, even that isn't definitive.

joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net


Doug Gelling wrote:
> Hi, I have a script that runs over all users in an OU, and if they
> have not signed on for 7 days, the account is disabled.
>
> This is working fine, however, if the account is re-enabled but the
> users does not signon before the script is run again, the account is
> once again disabled.
>
> OK so it is working as expected, I have now been asked if it is
> possible to determine when an account was re-enabled and allow a grace
> period before the account is disabled.
>
> Other than checking the whenChanged value, is there some other way to
> determine when an account has been enabled?
> Could checking the whenChanged value produce misleading results?
>
> Thank You
> Doug Gelling
> Systems Support.