|
server
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Modify bulk users in ADHi,
I want to modify the expiration date of user accounts in AD. I need a way to take the below format which is from Unix Kerberos and import it into AD to modify the same username with the expiration date. Is there anyway I can do this? Or should I post this question in the scripting discussion board? username - Expiration date: Wed Aug 17 00:00:00 PDT 2011 Something like this:
Set objOU = GetObject ("LDAP://ou=ougpo,dc=zenlab03-2,dc=lab") ObjOU.Filter= Array("user") For Each objUser in objOU objuser.Put "accountExpires", "128003580000000000" objuser.SetInfo next Show quoteHide quote "bishop" <bis***@discussions.microsoft.com> wrote in message news:D4861447-B571-4683-839D-143FA26AE77F@microsoft.com... > Hi, > > I want to modify the expiration date of user accounts in AD. I need a way > to > take the below format which is from Unix Kerberos and import it into AD to > modify the same username with the expiration date. Is there anyway I can > do > this? Or should I post this question in the scripting discussion board? > > username - Expiration date: Wed Aug 17 00:00:00 PDT 2011 THanks for the reply. Is the command that you provided extracting data from
the following information: username - Expiration date: Wed Aug 17 00:00:00 PDT 2011 Thanks, Bishopz Show quoteHide quote "Dmitri Daiter" wrote: > Something like this: > > Set objOU = GetObject ("LDAP://ou=ougpo,dc=zenlab03-2,dc=lab") > ObjOU.Filter= Array("user") > > For Each objUser in objOU > objuser.Put "accountExpires", "128003580000000000" > objuser.SetInfo > next > > "bishop" <bis***@discussions.microsoft.com> wrote in message > news:D4861447-B571-4683-839D-143FA26AE77F@microsoft.com... > > Hi, > > > > I want to modify the expiration date of user accounts in AD. I need a way > > to > > take the below format which is from Unix Kerberos and import it into AD to > > modify the same username with the expiration date. Is there anyway I can > > do > > this? Or should I post this question in the scripting discussion board? > > > > username - Expiration date: Wed Aug 17 00:00:00 PDT 2011 > > > I'm not sure what you are asking. The script I privided sets Expiration time
for every user in the ou=ougpo,dc=zenlab03-2,dc=lab OU to 08/17/2006 Pacific time. You need to edit the user container DN and accountExpires value. The easiest way to get the correct accountExpires is to set up one user the way you want and then use ADSIEdit to look up the accountExpires value. For instnce, if I set Expiration date to 08/17/2001 PDT, accountExpires will be 129581244000000000. Show quoteHide quote "bishop" <bis***@discussions.microsoft.com> wrote in message news:42341A94-6B50-4F81-851D-D1074758DACB@microsoft.com... > THanks for the reply. Is the command that you provided extracting data > from > the following information: > > username - Expiration date: Wed Aug 17 00:00:00 PDT 2011 > > Thanks, > > Bishopz > > "Dmitri Daiter" wrote: > >> Something like this: >> >> Set objOU = GetObject ("LDAP://ou=ougpo,dc=zenlab03-2,dc=lab") >> ObjOU.Filter= Array("user") >> >> For Each objUser in objOU >> objuser.Put "accountExpires", "128003580000000000" >> objuser.SetInfo >> next >> >> "bishop" <bis***@discussions.microsoft.com> wrote in message >> news:D4861447-B571-4683-839D-143FA26AE77F@microsoft.com... >> > Hi, >> > >> > I want to modify the expiration date of user accounts in AD. I need a >> > way >> > to >> > take the below format which is from Unix Kerberos and import it into AD >> > to >> > modify the same username with the expiration date. Is there anyway I >> > can >> > do >> > this? Or should I post this question in the scripting discussion board? >> > >> > username - Expiration date: Wed Aug 17 00:00:00 PDT 2011 >> >> >> Hi,
The accountExpires attribute is Integer8, which means it is a 64-bit number representing the number of 100-nanosecond intervals since 12:00 AM January 1, 1601. The corresponding date/time is in Coordinated Universal Time (UTC, or what used to be called Greenwich Mean Time). If you convert the Integer8 value to a date/time, you have to adjust for the time zone bias as specified in the local registry of the machine. I have a VBScript program that converts a date/time in the local time of your computer to the corresponding Integer8 value linked here: http://www.rlmueller.net/Programs/DateToInteger8.txt In ADUC when you set an expiration date, the account expires at the end if the day selected (in your time zone). Using the DateToInteger8.vbs program linked above, the end of the day 08/17/2006 (really 12:00 AM 8/18/2006) converts to 128,003,508,000,000,000 in my time zone, which is CDT (Central Daylight Time in USA). Since PDT is 2 hours further west (later), the end of the day 8/17/2006 in PDT would be greater by 2x60x60x10,000,000 or 72,000,000,000, giving a value of 128,003,580,000,000,000. I used commas in these numbers to make them readable, but you cannot use commas when you assign values. Ordinarily, VBScript cannot handle such large numbers. My VBScript program, for example, calculates the number of seconds since 1/1/1601 (to the nearest second), then converts this to a string and appends 7 zeros to the end (to convert seconds to 100-nanosecond intervals). If you attempt to assign an 18 digit number to the accountExpires attribute in VBScript you get an error. For example, the snippet objUser.Put "accountExpires", 128003508000000000 objUser.SetInfo raises an error. VBScript (and VB) can handle 15 digits at most. My VBScript program calculates 12,800,350,800 seconds since 1/1/1601. VBScript can handle these 11 digits, but not the full 18 digits, so I convert the 11 digit number to a string and append 7 zeros in DateToInteger8.vbs. I'm only accurate to one second. The "trick" is to assign the 18 digit number as a string to accountExpires. I have no idea why this works but it does. ADSI must handle this specially. The only integer values you can assign to Integer8 attributes (that have any meaning) are 0 and -1. The value 0 corresponds to 1/1/1601, which is really never. The value -1, because of the way 64-bit numbers are handled, becomes 2^63-1 or 9,223,372,036,854,775,807. This is the largest number that can be saved as a signed 64-bit value. It represents a date so far in the future it again means never. If a user object (created in ADUC) has never had an expiration date assigned, then accountExpires has the value 2^63-1. If, however, the user is assigned an expiration date, and then this is removed (so the account no longer expires), the value 0 is assigned to accountExpires. Another way to deal with expiration dates is to use the AccountExpirationDate property method. However, it has a few quirks. If accountExpires is 0, AccountExpirationDate returns 1/1/1970. This was the zero date in NT domains, but has no meaning whatsoever in Active Directory. If accountExpires is 2^63-1, AccountExpirationDate raises an error. You can also use AccountExpirationDate to set expiration dates. Finally, if the value of accountExpires corresponds to a time other than the end of a day, ADUC displays the previous day. For example, if accountExpires corresponds to 8/18/2006 11:00 PM, ADUC will show expiration at end of day 8/17/2006. I know this is far more than anyone cares to know, but I've been studying this attribute for awhile to understand the many quirks people have found. I plan to post an FAQ on the subject on my web site, but I have a few more details to dig up. Show quoteHide quote "Dmitri Daiter" <ddai***@zenprise.com> wrote in message news:OFoQSEoWGHA.4768@TK2MSFTNGP05.phx.gbl... > I'm not sure what you are asking. The script I privided sets Expiration > time for every user in the ou=ougpo,dc=zenlab03-2,dc=lab OU to 08/17/2006 > Pacific time. You need to edit the user container DN and accountExpires > value. The easiest way to get the correct accountExpires is to set up one > user the way you want and then use ADSIEdit to look up the accountExpires > value. For instnce, if I set Expiration date to 08/17/2001 PDT, > accountExpires will be 129581244000000000. > > "bishop" <bis***@discussions.microsoft.com> wrote in message > news:42341A94-6B50-4F81-851D-D1074758DACB@microsoft.com... >> THanks for the reply. Is the command that you provided extracting data >> from >> the following information: >> >> username - Expiration date: Wed Aug 17 00:00:00 PDT 2011 >> >> Thanks, >> >> Bishopz >> >> "Dmitri Daiter" wrote: >> >>> Something like this: >>> >>> Set objOU = GetObject ("LDAP://ou=ougpo,dc=zenlab03-2,dc=lab") >>> ObjOU.Filter= Array("user") >>> >>> For Each objUser in objOU >>> objuser.Put "accountExpires", "128003580000000000" >>> objuser.SetInfo >>> next >>> >>> "bishop" <bis***@discussions.microsoft.com> wrote in message >>> news:D4861447-B571-4683-839D-143FA26AE77F@microsoft.com... >>> > Hi, >>> > >>> > I want to modify the expiration date of user accounts in AD. I need a >>> > way >>> > to >>> > take the below format which is from Unix Kerberos and import it into >>> > AD to >>> > modify the same username with the expiration date. Is there anyway I >>> > can >>> > do >>> > this? Or should I post this question in the scripting discussion >>> > board? >>> > >>> > username - Expiration date: Wed Aug 17 00:00:00 PDT 2011 >>> >>> >>> > > Hi,
I just realized you want to set the expiration date as 8/17/2011. To account for the time zone difference, I use my DateToInteger8.vbs program to convert "08/17/2011 02:00 AM" in CDT and get 129580380000000000 in PDT. Show quoteHide quote "Richard Mueller" <rlmueller-NOSPAM@ameritech.NOSPAM.net> wrote in message news:O6RTgNsWGHA.3328@TK2MSFTNGP02.phx.gbl... > Hi, > > The accountExpires attribute is Integer8, which means it is a 64-bit > number representing the number of 100-nanosecond intervals since 12:00 AM > January 1, 1601. The corresponding date/time is in Coordinated Universal > Time (UTC, or what used to be called Greenwich Mean Time). If you convert > the Integer8 value to a date/time, you have to adjust for the time zone > bias as specified in the local registry of the machine. I have a VBScript > program that converts a date/time in the local time of your computer to > the corresponding Integer8 value linked here: > > http://www.rlmueller.net/Programs/DateToInteger8.txt > > In ADUC when you set an expiration date, the account expires at the end if > the day selected (in your time zone). Using the DateToInteger8.vbs program > linked above, the end of the day 08/17/2006 (really 12:00 AM 8/18/2006) > converts to 128,003,508,000,000,000 in my time zone, which is CDT (Central > Daylight Time in USA). Since PDT is 2 hours further west (later), the end > of the day 8/17/2006 in PDT would be greater by 2x60x60x10,000,000 or > 72,000,000,000, giving a value of 128,003,580,000,000,000. I used commas > in these numbers to make them readable, but you cannot use commas when you > assign values. > > Ordinarily, VBScript cannot handle such large numbers. My VBScript > program, for example, calculates the number of seconds since 1/1/1601 (to > the nearest second), then converts this to a string and appends 7 zeros to > the end (to convert seconds to 100-nanosecond intervals). If you attempt > to assign an 18 digit number to the accountExpires attribute in VBScript > you get an error. For example, the snippet > > objUser.Put "accountExpires", 128003508000000000 > objUser.SetInfo > > raises an error. VBScript (and VB) can handle 15 digits at most. My > VBScript program calculates 12,800,350,800 seconds since 1/1/1601. > VBScript can handle these 11 digits, but not the full 18 digits, so I > convert the 11 digit number to a string and append 7 zeros in > DateToInteger8.vbs. I'm only accurate to one second. > > The "trick" is to assign the 18 digit number as a string to > accountExpires. I have no idea why this works but it does. ADSI must > handle this specially. The only integer values you can assign to Integer8 > attributes (that have any meaning) are 0 and -1. The value 0 corresponds > to 1/1/1601, which is really never. The value -1, because of the way > 64-bit numbers are handled, becomes 2^63-1 or 9,223,372,036,854,775,807. > This is the largest number that can be saved as a signed 64-bit value. It > represents a date so far in the future it again means never. If a user > object (created in ADUC) has never had an expiration date assigned, then > accountExpires has the value 2^63-1. If, however, the user is assigned an > expiration date, and then this is removed (so the account no longer > expires), the value 0 is assigned to accountExpires. > > Another way to deal with expiration dates is to use the > AccountExpirationDate property method. However, it has a few quirks. If > accountExpires is 0, AccountExpirationDate returns 1/1/1970. This was the > zero date in NT domains, but has no meaning whatsoever in Active > Directory. If accountExpires is 2^63-1, AccountExpirationDate raises an > error. You can also use AccountExpirationDate to set expiration dates. > > Finally, if the value of accountExpires corresponds to a time other than > the end of a day, ADUC displays the previous day. For example, if > accountExpires corresponds to 8/18/2006 11:00 PM, ADUC will show > expiration at end of day 8/17/2006. > > I know this is far more than anyone cares to know, but I've been studying > this attribute for awhile to understand the many quirks people have found. > I plan to post an FAQ on the subject on my web site, but I have a few more > details to dig up. > > -- > Richard > Microsoft MVP Scripting and ADSI > Hilltop Lab - http://www.rlmueller.net > > "Dmitri Daiter" <ddai***@zenprise.com> wrote in message > news:OFoQSEoWGHA.4768@TK2MSFTNGP05.phx.gbl... >> I'm not sure what you are asking. The script I privided sets Expiration >> time for every user in the ou=ougpo,dc=zenlab03-2,dc=lab OU to 08/17/2006 >> Pacific time. You need to edit the user container DN and accountExpires >> value. The easiest way to get the correct accountExpires is to set up one >> user the way you want and then use ADSIEdit to look up the accountExpires >> value. For instnce, if I set Expiration date to 08/17/2001 PDT, >> accountExpires will be 129581244000000000. >> >> "bishop" <bis***@discussions.microsoft.com> wrote in message >> news:42341A94-6B50-4F81-851D-D1074758DACB@microsoft.com... >>> THanks for the reply. Is the command that you provided extracting data >>> from >>> the following information: >>> >>> username - Expiration date: Wed Aug 17 00:00:00 PDT 2011 >>> >>> Thanks, >>> >>> Bishopz >>> >>> "Dmitri Daiter" wrote: >>> >>>> Something like this: >>>> >>>> Set objOU = GetObject ("LDAP://ou=ougpo,dc=zenlab03-2,dc=lab") >>>> ObjOU.Filter= Array("user") >>>> >>>> For Each objUser in objOU >>>> objuser.Put "accountExpires", "128003580000000000" >>>> objuser.SetInfo >>>> next >>>> >>>> "bishop" <bis***@discussions.microsoft.com> wrote in message >>>> news:D4861447-B571-4683-839D-143FA26AE77F@microsoft.com... >>>> > Hi, >>>> > >>>> > I want to modify the expiration date of user accounts in AD. I need a >>>> > way >>>> > to >>>> > take the below format which is from Unix Kerberos and import it into >>>> > AD to >>>> > modify the same username with the expiration date. Is there anyway I >>>> > can >>>> > do >>>> > this? Or should I post this question in the scripting discussion >>>> > board? >>>> > >>>> > username - Expiration date: Wed Aug 17 00:00:00 PDT 2011 >>>> >>>> >>>> >> >> > > 
Other interesting topics
Profile question
Picking the right sized DC Resoter user object Registy modification for dynamic RPC Group Policies and web proxy settings cleaning all user created files on logoff Unique userid attribute in Active Directory Identifying obsolete computer/user accounts in AD Universal groups and "Member Of" tab. Cross Forest Trusts |
|||||||||||||||||||||||
