How to find user "accountExpires" attribute old value?

Siya Kumari 511 Reputation points
2024-08-21T12:11:53.2866667+00:00

Hello Team,

We are using ADMT Tool for migrating user SID History from source to Target Domain. In our source domain user "accountExpires" value is set to never but its set to a specific date in target domain. By mistake we have not excluded the user attribute "accountExpires" while migrating the user sid history, ADMT Tool overrides the value of user "accountExpires" attribute value same as source. Can anyone suggest how can we solve this issue?

  1. We want know how can we find the previous "accountExpires" value for all the users in target domain. Because ADMT has set this value never for all the target user.
  2. Once we will find the correct "accountExpires" attribute value for all target user, how can we change it to correct one?

Looking for quick response, thanks!

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,417 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Daisy Zhou 22,311 Reputation points Microsoft Vendor
    2024-08-21T13:46:06.0766667+00:00

    Hello Siya Kumari,

    Thank you for posting in Q&A forum.

    1.We want to know how can we find the previous "accountExpires" value for all the users in target domain. Because ADMT has set this value never for all the target users.

    A1: I think you should export "accountExpires" value for all the users in source domain.

    You can export the users and accountExpires time by running the command below.

    $outputFile = "C:\AD_AccountExpires.csv"
    # Get all users or a specific set of users from a particular Organizational Unit (OU)
    $users = Get-ADUser -Filter * -Property SamAccountName, accountExpires
    # Create a custom object to store the results
    $results = @()
    foreach ($user in $users) {
        # Check if accountExpires attribute is set
        if ($user.accountExpires -gt 0) {
            $accountExpiresDate = [datetime]::FromFileTimeUtc($user.accountExpires)
        } else {
            $accountExpiresDate = "Never"
        }
        
        $results += [PSCustomObject]@{
            SamAccountName = $user.SamAccountName
            AccountExpires = $accountExpiresDate
        }
    }
    # Export the results to a CSV file
    $results | Export-Csv -Path $outputFile -NoTypeInformation
    Write-Output "The accountExpires attribute has been exported to $outputFile"
    

    For example:

    User's image

    2.Once we will find the correct "accountExpires" attribute value for all target user, how can we change it to correct one?

    A2: To set the "accountExpires" attribute for Active Directory (AD) users in batch, you can use PowerShell. Here's a general approach using the Set-ADUser cmdlet from the Active Directory module for Windows PowerShell. You’ll need to have the Active Directory module installed and appropriate permissions to modify AD user properties.

    1.Prepare your user data:

    Create a CSV file with the user data. The CSV file should have headers like SamAccountName and AccountExpirationDate.

    Here is a sample structure of the CSV file (users.csv): SamAccountName,AccountExpirationDate user1,2023-12-31 user2,2024-01-15

    2.Import the CSV and update users: Use PowerShell to import the CSV file and set the accountExpires attribute.

    Here's a sample script:

    $csvPath = "C:\path\to\your\users.csv"
       # Import the CSV file
       $users = Import-Csv -Path $csvPath
       foreach ($user in $users) {
           # Convert the AccountExpirationDate to a datetime object
           $expirationDate = [datetime]$user.AccountExpirationDate
           # Convert to FileTime (AD format for dates)
           $accountExpires = $expirationDate.ToFileTime()
           # Set the accountExpires attribute for the user
           Set-ADUser -Identity $user.SamAccountName -Replace @{accountExpires=$accountExpires}
       }
       Write-Host "Account expiration dates updated successfully."
    Account expiration dates updated successfully.
    

    3.Run the script: Execute the PowerShell script in a PowerShell session with administrative privileges.

    Please replace "C:\path\to\your\users.csv" with the actual path to your CSV file.

    This script iterates through each user in the CSV file, converts the expiration date to the FileTime format (which is required by AD), and updates the accountExpires attribute for each user.

    For example:

    User's image

    User's image

    User's image

    User's image

    I hope the information above is helpful.

    If you have any questions or concerns, please feel free to let us know.

    Best Regards,

    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.