- Reference
- Module:
- ActiveDirectory
Sets the expiration date for an Active Directory account.
Syntax
Set-ADAccountExpiration [-WhatIf] [-Confirm] [-AuthType <ADAuthType>] [-Credential <PSCredential>] [[-DateTime] <DateTime>] [-Identity] <ADAccount> [-Partition <String>] [-PassThru] [-Server <String>] [-TimeSpan <TimeSpan>] [<CommonParameters>] Description
The Set-ADAccountExpiration cmdlet sets the expiration time for a user, computer, or service account.To specify an exact time, use the DateTime parameter.To specify a time period from the current time, use the TimeSpan parameter.
The Identity parameter specifies the Active Directory account to modify.
You can identify an account by its distinguished name, GUID, security identifier (SID), or Security Accounts Manager (SAM) account name.You can also set the Identity parameter to an object variable such as $<localADAccountObject>, or you can pass an account object through the pipeline to the Identity parameter.For example, you can use the Search-ADAccount cmdlet to retrieve an account object and then pass the object through the pipeline to the Set-ADAccountExpiration cmdlet.Similarly, you can use Get-ADUser, Get-ADComputer, or Get-ADServiceAccount cmdlets to retrieve account objects that you can pass through the pipeline to this cmdlet.
For Active Directory Lightweight Directory Services (AD LDS) environments, the Partition parameter must be specified except in the following two conditions:
- The cmdlet is run from an Active Directory provider drive.
- A default naming context or partition is defined for the AD LDS environment.
To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance.
Examples
Example 1: Set the account expiration date for a specified user
PS C:\> Set-ADAccountExpiration -Identity PattiFu -DateTime "10/18/2008"This command sets the account with SamAccountName PattiFu to expire on the 18th of October, 2008.
Example 2: Set the account expiration date for all user accounts in a specified group
PS C:\> Get-ADGroupMember -Identity BO1Accounts | where {$_.objectClass -eq "user"} | Set-ADAccountExpiration -TimeSpan 60.0:0This command sets the expiration date of all the user accounts who are a member of the group BO1Accounts to 60 days from now.
Parameters
-AuthType
Specifies the authentication method to use.The acceptable values for this parameter are:
- Negotiate or 0
- Basic or 1
The default authentication method is Negotiate.
A Secure Sockets Layer (SSL) connection is required for the Basic authentication method.
| Type: | ADAuthType |
| Accepted values: | Negotiate, Basic |
| Position: | Named |
| Default value: | None |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Confirm
Prompts you for confirmation before running the cmdlet.
| Type: | SwitchParameter |
| Aliases: | cf |
| Position: | Named |
| Default value: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Credential
Specifies the user account credentials to use to perform this task.The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory module for Windows PowerShell provider drive.If the cmdlet is run from such a provider drive, the account associated with the drive is the default.
To specify this parameter, you can type a user name, such as User1 or Domain01\User01 or you can specify a PSCredential object.If you specify a user name for this parameter, the cmdlet prompts for a password.
You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet.You can then set the Credential parameter to the PSCredential object.
If the acting credentials do not have directory-level permission to perform the task, Active Directory module for Windows PowerShell returns a terminating error.
| Type: | PSCredential |
| Position: | Named |
| Default value: | None |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-DateTime
Specifies the expiration time for the account by using a DateTime value.Time is assumed to be local time unless otherwise specified.When a time value is not specified, the time is assumed to 12:00:00 AM local time.When a date is not specified, the date is assumed to be the current date.
| Type: | DateTime |
| Position: | 2 |
| Default value: | None |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Identity
Specifies an Active Directory account object by providing one of the following property values.The identifier in parentheses is the Lightweight Directory Access Protocol (LDAP) display name for the attribute.The acceptable values for this parameter are:
- A distinguished name
- A GUID (objectGUID)
- A security identifier (objectSid)
- A SAM account name (sAMAccountName)
The cmdlet searches the default naming context or partition to find the object.If two or more objects are found, the cmdlet returns a non-terminating error.
This parameter can also get this object through the pipeline or you can set this parameter to an account object instance.
Derived types such as the following are also accepted:
- Microsoft.ActiveDirectory.Management.ADUser
- Microsoft.ActiveDirectory.Management.ADComputer
- Microsoft.ActiveDirectory.Management.ADServiceAccount
| Type: | ADAccount |
| Position: | 0 |
| Default value: | None |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-Partition
Specifies the distinguished name of an Active Directory partition.The distinguished name must be one of the naming contexts on the current directory server.The cmdlet searches this partition to find the object defined by the Identity parameter.
In many cases, a default value is used for the Partition parameter if no value is specified.The rules for determining the default value are given below.Note that rules listed first are evaluated first and once a default value can be determined, no further rules are evaluated.
In Active Directory Domain Services (AD DS) environments, a default value for Partition is set in the following cases:
- If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name.
- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive.
- If none of the previous cases apply, the default value of Partition is set to the default partition or naming context of the target domain.
In AD LDS environments, a default value for Partition is set in the following cases:
- If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name.
- If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive.
- If the target AD LDS instance has a default naming context, the default value of Partition is set to the default naming context.To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance.
- If none of the previous cases apply, the Partition parameter will not take any default value.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-PassThru
Returns an object representing the item with which you are working.By default, this cmdlet does not generate any output.
| Type: | SwitchParameter |
| Position: | Named |
| Default value: | None |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Server
Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server.The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory snapshot instance.
Specify the Active Directory Domain Services instance in one of the following ways:
Domain name values:
- Fully qualified domain name
- NetBIOS name
Directory server values:
- Fully qualified directory server name
- NetBIOS name
- Fully qualified directory server name and port
The default value for this parameter is determined by one of the following methods in the order that they are listed:
- By using the Server value from objects passed through the pipeline
- By using the server information associated with the Active Directory Domain Services Windows PowerShell provider drive, when the cmdlet runs in that drive
- By using the domain of the computer running Windows PowerShell
| Type: | String |
| Position: | Named |
| Default value: | None |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-TimeSpan
Specifies a time interval that begins at the current time.The account expires at the end of the time interval.
Specify the time interval in the following format:
[-]D.H:M:S.F
where:
- D = Days (0 to 10675199)
- H = Hours (0 to 23)
- M = Minutes (0 to 59)
- S = Seconds (0 to 59)
- F = Fractions of a second (0 to 9999999)
Note: Time values must be between the following values:
-10675199:02:48:05.4775808 and 10675199:02:48:05.4775807.
| Type: | TimeSpan |
| Position: | Named |
| Default value: | None |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-WhatIf
Shows what would happen if the cmdlet runs.The cmdlet is not run.
| Type: | SwitchParameter |
| Aliases: | wi |
| Position: | Named |
| Default value: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
Inputs
None or Microsoft.ActiveDirectory.Management.ADAccount
An account object is received by the Identity parameter.
Derived types, such as the following are also accepted:
- Microsoft.ActiveDirectory.Management.ADUser
- Microsoft.ActiveDirectory.Management.ADComputer
- Microsoft.ActiveDirectory.Management.ADServiceAccount
Outputs
None
Notes
- This cmdlet does not work with an Active Directory snapshot.
- This cmdlet does not work with a read-only domain controller.
- Clear-ADAccountExpiration
- Get-ADComputer
- Get-ADServiceAccount
- Get-ADUser
- Search-ADAccount
- AD DS Administration Cmdlets in Windows PowerShell
FAQs
How do I enable Active Directory in PowerShell? ›
- Type Start PowerShell and press Enter within the Command Prompt window to open a new Windows PowerShell console window.
- Type Add-WindowsFeature AD-Domain-Services and press Enter to install Active Directory Domain Services.
- Click the Management tab.
- Select the Create Single User link.
- Fill up all the attributes required through the tabs shown.
- Click the Accounts tab.
- In Account Properties, enter the time at which you want the account to expire in the Account Expires column.
If you really need to set an account to never expire then you use the Get-MsolUser cmdlet and pipe the user object into the Set-MsolUser command to set the PasswordNeverExpires attribute to $True but you can always change it back by running the command again specifying $False.
How do I get the current date in PowerShell? ›The Get-Date cmdlet gets a DateTime object that represents the current date or a date that you specify. Get-Date can format the date and time in several . NET and UNIX formats. You can use Get-Date to generate a date or time character string, and then send the string to other cmdlets or programs.
How do I activate Active Directory based activation? ›- Select the Active Directory-Based Activation option.
- Enter your KMS host key and a display name.
- Activate your KMS host key by phone or online.
- After activating the key, click Commit, and then click Close.
- Type Start PowerShell in the Command Prompt window to start Windows PowerShell.
- Type Install-WindowsFeature RSAT and press Enter to install RSAT.
Azure Active Directory (Azure AD) does not include the ability to disable inactive accounts automatically, however, automation can be implemented to provide this administrative function.
What does account expires Do Active Directory? ›Account expiry date is used for automation, consider you give an AD account to the temporarily to the vendor but you might forget to disable it when his job is done. In this case someone might use this account for mischief, so you will automate that after this period of the account it is automatically disabled.
What does account expires mean in Active Directory? ›On the "Account" tab in ADUC there is a section labeled "Account expires". You can select either "Never" or "End of". If you select "End of" you can pick a date. Presumably the account will expire at midnight that day, local time.
How do I make my password not expire in Active Directory? ›- Navigate to Management > User Management > Bulk User Management > Reset Password.
- Select the Domain and the User Account(s) you wish to change the password settings for. You can even import this list from a CSV file. ...
- Click on the Account tab, and set Account Expires as Never. Then click Apply.
How do I turn off password expiry in Active Directory? ›
Click on “Users” and find your user account. Right-click and view properties, and then check “Password Never Expires” under the settings.
How do I generate password expiration for a user in Active Directory PowerShell? ›A really easy way to tell when an AD user account password expires is to use the Net User command. This command is part of the “net commands” that allows you to add, remove, or modify the user account on a computer.
Which command is used to get the current date? ›date command is used to display the system date and time. date command is also used to set date and time of the system. By default the date command displays the date in the time zone on which unix/linux operating system is configured.
Which is the command to get the current date? ›GETDATE() function is mostly used to find the current Date.
How do I format a date variable in PowerShell? ›- Pass the variable to the Get-Date cmdlet: Get-Date -Format "HH:mm" $date.
- Use toString() method: $date. ToString("HH:mm")
- Use Composite formatting: "{0:HH:mm}" -f $date.
Right-click on the Start button and go to Settings > Apps > Manage optional features > Add feature. Now select RSAT: Active Directory Domain Services and Lightweight Directory Tools. Finally, select Install then go to Start > Windows Administrative Tools to access Active Directory once the installation is complete.
How do I enable Active Directory on a server? ›You'll first need to install the remote server administration tools on Windows 10 Professional or Enterprise. After you've installed the tools needed, you can go to "Control Panel > Programs > Turn Windows features on or off" to enable active directory.
How do I enable Active Directory users and computers on Windows 10 21h1? ›- Right-click Start and select Control Panel;
- Click Programs and Features;
- Click Turn Windows features on or off on the left pane.
- Expand Remote Server Administration Tools-> Role Administration Tools -> AD DS and AD LDS Tools in the features tree;
- Check AD DS Tools and click OK.
...
- On the desktop, click Start, click All Apps, click Windows System, and then click Control Panel.
- Click Programs, and then in Programs and Features, click Turn Windows features on or off.
Two types of RSAT tools
It includes features like the Active Directory Certificate Services Tools, which incorporates the Certification Authority snap-in, the Certificate Templates snap-in, the Enterprise PKI snap-in, and the Online Responder Management snap-in.
How do I allow Active Directory users to remote desktop? ›
Navigate to Computer Configuration >> Administrative Templates >> Windows Components >> Remote Desktop Services >> Remote Desktop Session Host >> Connections. On the right-side panel. Double-click on Allow users to connect remotely using Remote Desktop Services.
Why do Active Directory accounts get disabled? ›If a user Add operation contains an invalid password (or no password at all), the account created in Active Directory should be disabled.
Should you delete Active Directory accounts? ›Removal of inactive accounts is essential for the security of the Active Directory. However, it is better to keep such accounts disabled for some time before deleting them. When employees leave the organization or when they take a long to leave, it is recommended to disable their user accounts.
How to identify inactive computer accounts in Active Directory? ›How to Find Inactive (Old) Computers in Active Directory Domain? You can use the Get-ADComputer cmdlet to find inactive computer objects in a domain. The LastLogonTimeStamp attribute can be used as search criteria.
What happens when you disable an Active Directory account? ›If you disable a user, the Active Directory object remains untouched together with the mailbox data and properties(including forwarding settings and full access), but you will not be able to access any mailbox data directly, using that user credentials.
Is Active Directory still being used? ›Tens of thousands of companies use Microsoft Active Directory, including about 90 percent of Fortune 1000 companies. In recent years, some users have switched to Microsoft Azure Active Directory, which is a cloud-based identity and access management solution that works much in the same way as the original AD.
Is Active Directory necessary? ›Active Directory is important in many ways. It consists of a directory service that makes it possible to store data about networked objects, making this information available to administrators and users. Also, it is a Microsoft software used in Windows.
Why would you set user account expiry date? ›A2: Password expiration and account expiration are two different means to achieve the same goal, that is to prevent someone to log in.
What happens if you let your domain name expire? ›When a domain expires it becomes inactive immediately and all the services attached to it cease to function. You can't make any updates to the domain while it is expired. The domain will remain available for reactivation at your regular domain rate under your list of Expired Domains.
What happens when my domain registration expires? ›You'll have 30 days (for most domains*) after your registration expires to renew your domain at the standard rate. After 30 days*, it'll still be possible to renew, but you'll have to pay an additional fee -- typically $80 (for a .com domain).
What happens when Active Directory password expires? ›
In Active Directory, the account will not be locked if a user's password expires. Instead, the user will be prompted to change the password, and the new one must follow the password rules established by the organization based on its security policies.
How long is Active Directory lockout? ›The account lockout duration value will be set to 30 minutes by default once you set the value of Account lockout duration. You can change the value of Account Lockout Duration between 0~99999 minutes. If the value is 0, the account will remain locked out until an administrator unlocks it manually.
What is Active Directory password policy? ›An Active Directory password policy is a set of rules that define what passwords are allowed in an organization, and how long they are valid. The policy is enforced for all users as part of the Default Domain Policy Group Policy object, or by applying a fine-grained password policy (FGPP) to security groups.
How does Active Directory validate UserName and password? ›- [HttpGet]
- [Route("authenticateuser/{username}/{password}")]
- public bool ADUserExists(string userName, string password) {
- string domainName = System.Environment.UserDomainName;
- string domainUserName = System.Environment.UserName;
It is impossible to get existing password for users from active directory since it is hashed with sid. But you can get new password that are going to set for users in AD. For that you need to register a password filter in every domain controller.
How do you set a certificate expiration date? ›- Click Start, and then click Run.
- In the Open box, type regedit, and then click OK.
- Locate, and then click the following registry key: ...
- In the right pane, double-click ValidityPeriod.
- In the Value data box, type one of the following, and then click OK:
To get the current date and time in SQL Server, use the GETDATE() function. This function returns a datetime data type; in other words, it contains both the date and the time, e.g. 2019-08-20 10:22:34 . (Note: This function doesn't take any arguments, so you don't have to put anything in the brackets.)
How do I get the current date in YYYY-MM-DD format? ›- Import LocalDate class from java. time package.
- Create LocalDate object by calling static method now() of LocalDate class. ...
- Create DateTimeFormatter from DateTimeFormatter. ...
- Call format() method on this LocalDate object with DateTimeFormatter object passed as argument.
To format date in YYYY-MM-DD format, use the command date +%F or printf "%(%F)T\n" $EPOCHSECONDS . The %F option is an alias for %Y-%m-%d . This format is the ISO 8601 format.
How to set current date in batch file? ›On a Microsoft Windows system, you can obtain the current date using the date /t command (the /t option prevents the command from prompting for a change to the the date) or by using echo %date% to display the contents of the date environment variable.
How do I get the current date and time in CMD? ›
Display or set the system time. TIME /T Key new_time : The time as HH:MM TIME with no parameters will display the current time and prompt for a new value. Pressing ENTER will keep the same time. /T : Just display the time, formatted according to the current Regional settings.
What does date () do in SQL? ›The DATE() function extracts the date part from a datetime expression.
How do I change the format of a date variable? ›We change the date format from one format to another. For example - we have stored date in MM-DD-YYYY format in a variable, and we want to change it to DD-MM-YYYY format. We can achieve this conversion by using strtotime() and date() function.
How do I change the date format in a powershell script? ›One way to change the date format of a DateTime object is by using Get-Date to generate the object and the Format parameter to change the format.
How do you set a date parameter? ›Open the Data pane menu using the drop-down arrow in the upper-right corner and then select Create Parameter. Name the parameter. In this example, the parameter is named [Select Date]. For Data Type, select Date & time.
How do I enable Rsat feature? ›To enable the tools, click Start, click Control Panel, click Programs and Features, and then click Turn Windows features on or off. In the RSAT releases for Windows 10, tools are again all enabled by default.
Where is Active Directory Module for Windows PowerShell? ›On the Features page, expand Remote Server Administration Tools > Role Administration Tools > AD DS and AD LDS Tools, then select Active Directory module for Windows Powershell.
How do I enable RSAT on Windows? ›...
- On the desktop, click Start, click All Apps, click Windows System, and then click Control Panel.
- Click Programs, and then in Programs and Features, click Turn Windows features on or off.
- Click Start, and then click Run.
- In the Open box, type cmd.
- At the command prompt, type the command dsquery user parameter . The parameter specifies the parameter to use. For the list of parameters, see the online help for the d squery user command.
...
- On the desktop, click Start, click All Apps, click Windows System, and then click Control Panel.
- Click Programs, and then in Programs and Features, click Turn Windows features on or off.
How do I enable Active Directory Users and Computers on Windows 10 21h1? ›
- Right-click Start and select Control Panel;
- Click Programs and Features;
- Click Turn Windows features on or off on the left pane.
- Expand Remote Server Administration Tools-> Role Administration Tools -> AD DS and AD LDS Tools in the features tree;
- Check AD DS Tools and click OK.
- Visits Apps from your “Settings” menu.
- Select Apps & Features.
- Choose Optional features.
- Next, click on Add a feature.
- Type or scroll down to find “RSAT”
- Choose Install to add the tools to your device.
Click Start -> Control Panel -> Programs, and then select 'Turn Windows features on or off. ' Drill down to expand Remote Server Administration Tools -> Role Administration Tools -> AD DS and AD LDS Tools and put a checkmark in 'Active Directory Module for Windows PowerShell. ' Click OK.
How to install Azure AD module in PowerShell? ›- Open the Start menu on your computer and search for 'Powershell'
- Right-click on Windows PowerShell and choose 'Run as administrator'
- Type the following command and press enter. ...
- Type “Y” to install and import the NuGet provider.
- Open an elevated Windows PowerShell command prompt (run Windows PowerShell as an administrator).
- Run the Install-Module MSOnline command.
- If you're prompted to install the NuGet provider, type Y and press Enter.
- Launch Server Manager. ...
- Go to Add Roles and Features. ...
- Select the installation type. ...
- Select the destination server. ...
- Select the server roles. ...
- Select the required features. ...
- Confirm the installation selections. ...
- Check the installation progress.
RSAT (Remote Server Administration Tools) is a Windows Server component for remote management of other computers also running that operating system.
How do I change Active Directory in cmd? ›To change current working directory under the current drive, use command " cd new-path " (change directory). It is important to take note that you need to set the current drive first (via " x: " command) before setting the current directory under the current drive.
How do I connect to Active Directory? ›- the domain name or IP address of the Active Directory server.
- the correct connection port.
- the connecting user account, including the distinguished name of the user and the password.
Run Netwrix Auditor → Navigate to "Reports" → Expand the "Active Directory" section → Go to "Active Directory – State-in-Time" → Select "User Accounts" → Click "View" → Type the user's logon name in the “Logon Name” filter → Click "View Report".