Setting an Active Directory User Account to Expire at a Specific Time of Day with PowerShell

Notice that in Active Directory Users and Computers (ADUC) when setting the expiration of a user account, there’s only a way to have the account expire at the end of a specific day:

ad-expiration1.png

The same option exists in the Active Directory Administrative Center (ADAC):

ad-expiration2.png

In ADAC, you can see the PowerShell command that the GUI uses to accomplish this task:

ad-expiration3.png

Let’s query that particular property with PowerShell to see exactly what it’s now set to:

Get-ADUser -Identity alan0 -Properties AccountExpirationDate |
Select-Object -Property SamAccountName, AccountExpirationDate

ad-expiration4.png

Notice in the previous results, that there’s not only a date, but a time as well.

Using PowerShell, I’ll set the AccountExpirationDate to the specific date and time when I want the account to expire:

Set-ADAccountExpiration -Identity alan0 -DateTime '12/10/2013 17:00:00'

ad-expiration5.png

Now I’ll double check the value of what that particular property is set to again:

Get-ADUser -Identity alan0 -Properties AccountExpirationDate |
Select-Object -Property SamAccountName, AccountExpirationDate

ad-expiration6.png

One thing I noticed is that once the date and time set for the account to expire was reached, the user was prevented from logging into a pc, but it took a while before they were prevented from logging into Outlook Web Access. Just something to keep in mind 🙂

What if you change your mind after setting this value and want to set it so the account doesn’t expire? Since I originally set this property using the GUI I don’t know what the default value was. I’ll take a look at another account to see what it’s set to:

Get-ADUser -Identity jason0 -Properties AccountExpirationDate |
Select-Object -Property SamAccountName, AccountExpirationDate

ad-expiration7.png

So it needs to be set to nothing. I’ll try setting it to $null to see if that works:

Set-ADAccountExpiration -Identity alan0 -DateTime $null

ad-expiration8.png

Looks like that worked:

Get-ADUser -Identity alan0 -Properties AccountExpirationDate |
Select-Object -Property SamAccountName, AccountExpirationDate

ad-expiration9.png

Note: The examples shown in this blog article require the Remote Server Administration Tools (RSAT) to be installed on the workstation these commands are being run from (specifically, the Active Directory PowerShell module). The workstation these examples were run from has PowerShell version 4 installed so the module auto-loading feature that was introduced in PowerShell version 3 loaded the Active Directory module and there was no need to explicitly import the Active Directory PowerShell module.

µ