The Open Code Project

Information

  • Total Authors: 15

  • Total Articles: 40

Thanks To

Listing expiring Active Directory user accounts with UMRA

June 30th,2009 by Allan Bogh

Many times people want to view a list of expiring user accounts in Active Directory in order to contact the user or their manager and inform them of the expiring user account. Active Directory administrators will have to edit the user account to manually reset this account expiration, but with User Management Resource Administrator (UMRA) you can develop a system which will reset this expiration based on a website or another process that you have.

In the example below I will be obtaining a list of accounts that will expire in the next 10 days and I will output that list to a CSV file. This CSV file can be processed later using UMRA's Mass module.

Setting up the time to retrieve all account expiring in the next 10 days:

Set expire time to Windows Nanosecond time with UMRA

The LDAP Query Syntax:

(&
    (objectClass=user)
    (accountExpires<=%ExpireLimitNs%)
    (accountExpires>=%CurrentTimeNs%)
    (!(accountExpires=0))
)

The query above searches Active Directory for all user accounts between the current time and the expire time, which is 10 days from today. It filters out all times that are not set.

Testing the query using a Generate Generic Table action:

Generate Generic Table setup

%DC% and %DomainDN% are variables which are set to reference the domain controller and the LDAP path of the domain. This can be set to LDAP://domaincontroller/DC=mydomain,DC=local.

LDAP Filter for the Generate Generic Table expiring accounts report

The above image shows the LDAP filter for the report. This filter is specified in a single line.

Listing attributes of expiring user accounts using the Generate Generic Table action

A number of attributes can be specified in the Generate Generic Table action. I wanted to list the DN of the user account for future reference, the accountExpires time converted to a UMRA date-time stamp, the name of the person, the title of the person, the office location, and an additional attribute which stores some requestor information.

Expiring accounts test

The test shows the accounts listed with the columns displaying the appropriate information.

This table can be assigned to a variable and output to a CSV using the "Manage Table Data" script action. The CSV can be read back into a UMRA project to perform an action on the account, like disabling the user or emailing a manager, or the table can be passed to another project using the For-Each script action.

Using the Manage Table Data action I've set up the script action to export to a CSV file below.

Export table to CSV

Comments (0)


:

:

:


: formatting help
Close

Formatting instructions:

You can use <a> tags but everything else will be stripped and your comment will look funny.

I swear, don't use html except the <a> tag or else some random star will supernova. Remember, we have a star right next to us, so don't try it.

This isn't bbcode either so don't use it. That is all.



© 2010 Allan Bogh. Valid CSS & XHTML Arcsin