> What is the difference between disabling an account and expiring an
account?
I don't believe there is any functional difference, except in where you go to re-activate it.
It is mostly conceptual or if you prefer related to how you arranged it: disabling is about taking a positive immediate action, and expiration is about setting up a timer to do it automatically at some time in the future.
It is almost certainly different attributes on the account properties (internally to the accounts database) since there is more information to keep for expiration.
They are both functionally equivalent to lock-out too -- but of course that is done by the system in response to a perceived security threat.
I know that if an account goes past its expired time the disabled setting is not set. So they seem to have a similar affect but use different settings.
I am trying to decide which setting to use to manage accounts for employees who leave. We have to leave the account in place for a specified amount of time before we can delete it. So I need an easy way to query the AD to find disabled or expired accounts and when they were placed in that state (for example fine all disabled or expired accounts that were set over 30 days ago)
>I always thought accounts were disabled and passwords expired - the latter > resulting in a disabled account if the password were not changed in time.
> "KurtL" <KL_OExpr...@spamex.com> wrote in message > news:ev1F7buNFHA.3960@TK2MSFTNGP12.phx.gbl... >> What is the difference between disabling an account and expiring an > account?
an account is disabled IF RIGHT(HEX(userAccountControl),1) = "2", "3", "A", or "B".
an account has an expired password IF EITHER LEN(HEX(userAccountControl)) = 6 AND LEFT(HEX(userAccountControl),1) = "8", "9", "A", "B", "C", "D", "E", or "F") OR (LEN(HEX(userAccountControl)) = 7 AND MID(HEX(userAccountControl),2,1) = "8", "9", "A", "B", "C", "D", "E", or "F" )
> I know that if an account goes past its expired time the disabled setting is > not set. So they seem to have a similar affect but use different settings.
> I am trying to decide which setting to use to manage accounts for employees > who leave. We have to leave the account in place for a specified amount of > time before we can delete it. So I need an easy way to query the AD to find > disabled or expired accounts and when they were placed in that state (for > example fine all disabled or expired accounts that were set over 30 days > ago)
> - Kurt
> "Ato Bisda" <atobi...@gmail.com> wrote in message > news:%23JUU$6uNFHA.3668@TK2MSFTNGP14.phx.gbl... > >I always thought accounts were disabled and passwords expired - the latter > > resulting in a disabled account if the password were not changed in time.
> > "KurtL" <KL_OExpr...@spamex.com> wrote in message > > news:ev1F7buNFHA.3960@TK2MSFTNGP12.phx.gbl... > >> What is the difference between disabling an account and expiring an > > account?
> I always thought accounts were disabled and passwords expired - the latter > resulting in a disabled account if the password were not changed in time.
Many admins never set accounts to expire, but this is an old capability going back to NT domains.
It is most suitable for (known) temporary workers who will spend a few months or other limited time with your company.
> "KurtL" <KL_OExpr...@spamex.com> wrote in message > news:ev1F7buNFHA.3960@TK2MSFTNGP12.phx.gbl... > > What is the difference between disabling an account and expiring an > account?
Ok, first there is a difference between disable and expire as far as AD goes. If you look at just backups, you will see a difference. Backing up an Exchange email account that is disabled, will fail every time, but if you expire it you will get a good backup. Expire stops only that user from having access. Disable will stop all users for having access. Also, email still comes into the mailbox on an expired user account. This my be needed also, for lots of reasons.
Why use expire? The person has left, you want them to not be able to get into their account, but you still need the supervisor/legal to review the email in the account. Then use expire.
You can use expire like disable, just set the date older then today if you want to stop access by the user. Granted disable is very fast and you get to see the little red X next to the name. I would kill to have a symbol next to expired accounts. As a side note, when we do expire an account, well will add "- Expired" in the user description. If it is set to expire on a set date, the we will add in the description "- Expire on ??/??/??". This is only for easier finding and admin reasons.
We only use disable if we want a fast stop of all user access. It will be followed by changing it to expired as time permits. Most of the time we just use expire.
|
