Setting an Active Directory User Account to Expire at a Specific Time of Day with PowerShell

Notice that in Active Directory Users and Computers (ADUC) when setting the expiration of a user account, there’s only a way to have the account expire at the end of a specific day:

ad-expiration1

The same option exists in the Active Directory Administrative Center (ADAC):

ad-expiration2

In ADAC, you can see the PowerShell command that the GUI uses to accomplish this task:

ad-expiration3

Let’s query that particular property with PowerShell to see exactly what it’s now set to:

ad-expiration4

Notice in the previous results, that there’s not only a date, but a time as well.

Using PowerShell, I’ll set the AccountExpirationDate to the specific date and time when I want the account to expire:

ad-expiration5

Now I’ll double check the value of what that particular property is set to again:

ad-expiration6

One thing I noticed is that once the date and time set for the account to expire was reached, the user was prevented from logging into a pc, but it took a while before they were prevented from logging into Outlook Web Access. Just something to keep in mind 🙂

What if you change your mind after setting this value and want to set it so the account doesn’t expire? Since I originally set this property using the GUI I don’t know what the default value was. I’ll take a look at another account to see what it’s set to:

ad-expiration7

So it needs to be set to nothing. I’ll try setting it to $null to see if that works:

ad-expiration8

Looks like that worked:

ad-expiration9

Note: The examples shown in this blog article require the Remote Server Administration Tools (RSAT) to be installed on the workstation these commands are being run from (specifically, the Active Directory PowerShell module). The workstation these examples were run from has PowerShell version 4 installed so the module auto-loading feature that was introduced in PowerShell version 3 loaded the Active Directory module and there was no need to explicitly import the Active Directory PowerShell module.

µ

 

8 Comments

  1. Gamini

    Hi Mike,

    I need to set the expiry date for 100 users, please suggest me something.

    Thank you.

    Reply
  2. doo doo

    If you have a list than you can use IMPORT-CSV and pipe that into a LOOP and create a header in the csv file like $_.user and it will run though the list. Maybe this will help someone
    import-csv C:\csvfile.csv | foreach-object {Set-ADAccountExpiration -Identity $_.user -DateTime ’12/10/2013 17:00:00′}

    if you want to loop though an ou than, try using Get-ADUser -Filter * -SearchBase “OU=Finance,OU=UserAccounts,DC=FABRIKAM,DC=COM”……….. instead of import-csv

    Reply
  3. Johnny_Utah

    Hi Mike, is there a good way to use this but only have the users disabled for a period of time, say just a week?

    Thanks!

    Reply
  4. Bernadine Grauer

    Hi Mike,
    Is there a way to add 90 days to multiple users in a csv with different expiration dates?
    Thanks,
    -GeekyBern

    Reply
    • ir0c

      Hi Bernadine,

      I’d say if you had those dates in the correct format in the CSV file, you can pipe the expiration data into the PS script, too.

      Reply
  5. Justwannasettime Expirationonauser

    AWESOME. Yet another powershell example that doesn’t first explain what to do to actually make the “solution” work for someone. The term ‘Get-ADUser’ is not recognized as the name of a cmdlet, function, script file, or operable program

    Reply
  6. Justwannasettime Expirationonauser

    Oh, and now I realize you put the prerequisites at the END of your how-to. Interesting.

    Reply

Leave a Reply

%d bloggers like this: