What is the difference between disabling an account and expiring an account?

  - Kurt

news:ev1F7buNFHA.3960@TK2MSFTNGP12.phx.gbl...
account?

I don't believe there is any functional difference,
except in where you go to re-activate it.

It is mostly conceptual or if you prefer related to
how you arranged it:  disabling is about taking
a positive immediate action, and expiration is
about setting up a timer to do it automatically at
some time in the future.

It is almost certainly different attributes on the
account properties (internally to the accounts
database) since there is more information to keep
for expiration.

They are both functionally equivalent to lock-out
too -- but of course that is done by the system in
response to a perceived security threat.

I always thought accounts were disabled and passwords expired - the latter
resulting in a disabled account if the password were not changed in time.

news:ev1F7buNFHA.3960@TK2MSFTNGP12.phx.gbl...

I know that if an account goes past its expired time the disabled setting is
not set.  So they seem to have a similar affect but use different settings.

I am trying to decide which setting to use to manage accounts for employees
who leave.  We have to leave the account in place for a specified amount of
time before we can delete it.  So I need an easy way to query the AD to find
disabled or expired accounts and when they were placed in that state (for
example fine all disabled or expired accounts that were set over 30 days
ago)

  - Kurt

news:%23JUU$6uNFHA.3668@TK2MSFTNGP14.phx.gbl...

There are separate flags for "password expired" and "account disabled" in
the AD userAccountControl flag as detailed here:
http://support.microsoft.com/default.aspx?kbid=305144&product=winsvr2003

Using the table described in the URL,

an account is disabled IF RIGHT(HEX(userAccountControl),1) = "2", "3", "A",
or "B".

an account has an expired password IF
  EITHER LEN(HEX(userAccountControl)) = 6 AND
LEFT(HEX(userAccountControl),1) = "8", "9", "A", "B", "C", "D", "E", or "F")
  OR        (LEN(HEX(userAccountControl)) = 7 AND
MID(HEX(userAccountControl),2,1) = "8", "9", "A", "B", "C", "D", "E", or
"F" )

news:%23MnCoZvNFHA.1604@TK2MSFTNGP10.phx.gbl...

news:#JUU$6uNFHA.3668@TK2MSFTNGP14.phx.gbl...

Many admins never set accounts to expire, but this is an
old capability going back to NT domains.

It is most suitable for (known) temporary workers who
will spend a few months or other limited time with your
company.

Ok, first there is a difference between disable and expire as far as AD
goes. If you look at just backups, you will see a difference. Backing
up an Exchange email account that is disabled, will fail every time,
but if you expire it you will get a good backup. Expire stops only that
user from having access. Disable will stop all users for having access.
Also, email still comes into the mailbox on an expired user account.
This my be needed also, for lots of reasons.

Why use expire? The person has left, you want them to not be able to
get into their account, but you still need the supervisor/legal to
review the email in the account. Then use expire.

You can use expire like disable, just set the date older then today if
you want to stop access by the user. Granted disable is very fast and
you get to see the little red X next to the name. I would kill to have
a symbol next to expired accounts. As a side note, when we do expire an
account, well will add "- Expired" in the user description. If it is set
to expire on a set date, the we will add in the description "- Expire on
??/??/??". This is only for easier finding and admin reasons.

We only use disable if we want a fast stop of all user access. It will
be followed by changing it to expired as time permits. Most of the time
we just use expire.

--
fireater
------------------------------------------------------------------------
fireater's Profile: http://forums.techarena.in/member.php?userid=14440
View this thread: http://forums.techarena.in/showthread.php?t=74142

Free Computer Help -  http://forums.techarena.in