It is very easy to create a user account in Active Directory. However, AD makes that process simple by leaving many of the user account fields out of the account creation wizard. After working through the few pages of the New User creation process, you might think that you have covered all the attributes of an account during its setup. However, you haven’t, and the account expiration date is one of the features of an account that you can go back and manage.
Active Directory account expiration
The default expiration for an account in Active Directory is Never.
So, all you need to do to create an end date is to switch that radio button in the Account expires section of the Account tab in the Account Properties window to End of: and pick a date. So, that’s the goal of this topic. However, let’s run through a few details about how the account gets set up without an end date and what options you have to get better account management utilities for Active Directory.
Create an Active Directory user account
There are two ways to create accounts in Active Directory: manually, and through a bulk upload. The native menu for Active Directory management doesn’t provide a bulk upload function, so if you go that route, you need a third-party tool.
Here’s how to set up a user account in Active Directory:
1. Open the Active Directory Users and Computers utility
2. In the left-hand panel of the Active Directory Users and Computers screen. Click on Users to see existing accounts
3. Right-click to get a context menu and move the mouse pointer to New. In the sub-menu that appears, click on User.
4. In the New Object – User wizard, enter the user name details and press the Next button.
5. Enter password details and press the Next button.
6. Press the Finish button to create the account.
As you will note, the account now exists and you didn’t need to specify an expiration date. This is how you ended up with so many accounts that never expire.
Once an account exists, you need to get to the Properties window in order to set an expiry date – this screen is shown at the top of this guide. The Account tab of this crowded interface lets you set an end date. You get to this window by clicking on the user account in the main screen in the Active Directory Users and Computers system. Right-click the mouse and select Properties from the context menu.
What do Active Directory account end dates do?
Putting an expiry date on all of your user accounts could create a disaster. System admin staff are notorious for not sharing working processes with colleagues. This is a good security stance to take because the fewer people who know how the system is set up, the fewer security weaknesses there are. However, it could well be that a system administrator decides to end-date all accounts, with the intention of pushing that date forward before it arrives. If that administrator is off sick close to that date or leaves the company without passing on the strategy, everyone’s system accounts could become unavailable.
There is a lot to be said for setting all accounts to never expire. However, contractors and other temporary users have a known end date and it is common to use the expiry date for the accounts of these users. Abandoned but active accounts are a major security loophole and should be avoided.
Active Directory user account expiry
An expired account is disabled – it doesn’t get deleted. So, it can be reactivated easily by changing that expiry date either to a date in the future or by switching it to the “never expire” option. With that action, the account instantly becomes available again. While the account is inactive, the user can’t log in. That account does not get recognized. If the user enters that username in a login screen, it might as well be made up. It will not work.
Exactly when does an Active Directory account expire?
In all Windows utilities, Midnight is represented as 12:00 AM. This time belongs to the next day. That is, when you are sitting at your computer on 20 January 2025 at 11:59 PM, you will notice that the date shown on the computer becomes 21 January 2025 one minute later when the time is shown as 12:00 AM. If an account has an expiry date of 20 January 2025, the user will be able to log in at 11:59 PM on that date but not one minute later.
A user account is available for use all the day on the date that it is set to expire.
Examine account expiry dates with PowerShell
All of the information that is shown in the Active Directory Users and Computers utility is available behind the scenes and can be accessed through PowerShell.
The PowerShell environment is similar to a Command Prompt window. If you know how to open a Command Prompt, simply type powershell at the prompt and press return. However, it isn’t necessary to go through the Command Prompt. You can just type powershell into the Taskbar search field. This will give you access to the PowerShell windows directly.
Use the commandlet Get-ADUser to get information on user accounts. Use the following command to get the expiry date of an account:
Get-ADUser -Identity <username> -Properties AccountExpirationDate
To get a list of all user accounts that have expired, use:
Get-ADUser -Filter {AccountExpirationDate -lt (Get-Date)} -Properties AccountExpirationDate | Select-Object Name, AccountExpirationDate
You can use PowerShell to generate a list of accounts that are going to expire in the next 30 days with this command:
$expiringUsers = Get-ADUser -Filter {AccountExpirationDate -ne $null -and AccountExpirationDate -lt (Get-Date).AddDays(30)} -Properties AccountExpirationDate
The great thing about PowerShell is that you can construct programs with it and run them on a schedule. Add the following loop to the above query in order to trigger actions. The actions are not included in the example.
foreach ($user in $expiringUsers) {
# Perform remediation actions or send email notification
}
Set account expiry dates with PowerShell
Use the following PowerShell command to set an expiry date for a specific account.
Set-ADUser -Identity <username> -AccountExpirationDate “<MM/DD/YYYY HH:MM:SS>”
To follow the above example, replace <username> with the actual account name – it should not be in quotes; replace MM/DD/YYYY HH:MM:SS with the new end date. This must be in double quotes.
Buy a management tool for Active Directory account expiration handling
The Active Directory Users and Computers screen is the main AD management system that is included with Active Directory for free. As you have seen, finding out whether an account is end-dated requires the administrator to know about a pretty obscure path that involves right-clicking and searching through tabs of data.
The native screens of Active Directory don’t provide many automation facilities. This opens up opportunities for third-party system administration tool providers to market their own systems for managing Active Directory. We’re going to take a look at one example of such a tool, which is ManageEngine ADManager Plus.
ManageEngine ADManager Plus (FREE TRIAL)
ManageEngine ADManager Plus is one of the system monitoring and management tools offered by ManageEngine. The company has a long list of products. The purpose of ADManager Plus is to provide an alternative to using the Active Directory Users and Computers screen. Unlike the native tool, the ManageEngine package includes task automation features for issues, such as updating user account expiration dates. So, if you use ADManager Plus, you don’t need to learn how to make queries and programs with PowerShell.
Active Directory provides access rights management for general system access and it is also used for Microsoft 365, Google Workspace, and a couple of other systems. The system can unify the user account data for several systems, so you could end up with a number of Domain Controllers that all need the same data in them. You can set up ADManager Plus to front for multiple Domain Controllers simultaneously.
Once you have ADManager Plus running, you administer your accounts for Active Directory through the ADManager Plus console and you don’t need to go back to the Active Directory Users and Computers screen. ADManager Plus will read in the records of your AD instance and any changes that you make in the ManageEngine console will update the AD instance.
Get a list of expired user accounts with ADManager Plus
Listing all of the expired accounts in Active Directory is a lot easier with ManageEngine ADManager Plus than it is with PowerShell. Simply follow these steps:
- Click on the Reports tab, select User Reports from the menu, and click on Account expired users.
- Select a domain and OU.
- Click Generate.
- Select Export to export the report and choose CSV, PDF, HTML, CSVDE, or XLSX as the format.
You will be able to see the list of accounts that have expired in the ADManager Plus dashboard.
The ADManager Plus system includes a series of bulk user management tools, which involve uploading user records from a spreadsheet. This can be used to create accounts or to update them. In each case, the spreadsheet can include an expiration date, thus, avoiding the situation where all accounts are created to never expire. Of course, as the default status for accounts is to never expire, leaving that field blank in a record will make the account eternal.
ManageEngine ADManager Plus is a software package for Windows Server. There are two paid editions of the package: Standard and Professional. Many of the task automation services in the package, such as scheduled reports, are only available in the Professional edition.
ManageEngine offers a Free edition of ADManager Plus, which is the Standard edition but with a limit of handling 100 AD objects. You can get access to the full Professional edition on a 30-day free trial. If you decide not to buy at the end of the trial period, your installation will switch over to the Free edition.
Examine Active Directory management packages
ManageEngine ADManager Plus isn’t the only Active Directory management tool available on the market. Trial a few of the available systems before you choose a system that suits your business needs. We have assembled a list of The Best Active Directory Tools and AD Management Software to help you shortlist a manageable number of tools to examine.
