header image

AD account Expiry date

Posted by: | July 25, 2011 | No Comment |

In many organisations AD accounts for temporary works are set to expiry when their contract ends.  Its also a good practice to put an expiry date on any one who is leaving – that way you know their account won’t available.

Setting the expiry date for all users in an OU is done like this

$date = "01/01/2012 00:00:00"            
$ou = [adsi]"LDAP://ou=test,dc=manticore,dc=org"            
$search = [System.DirectoryServices.DirectorySearcher]$ou            
$search.Filter = "(&(objectclass=user)(objectcategory=user))"            
$search.SizeLimit = 3000            
$results = $search.FindAll()            
foreach ($result in $results){            
 $target = $result.GetDirectoryEntry()            
 $target.AccountExpirationDate = $date            


The date shows the start of a day but the account expires at the end of the previous day.

The attribute is set correctly in ADSIEdit but on my Windows 2008 R2 system AD Users and Computers showed a date 1 day earlier but AD Administrative center shows the correct date!

under: PowerShell and Active Directory, Windows Server 2008 R2