User account expired locally not in Active Dir.

D

dmakadia

I have user id to run service, which is domain user id. For some reason
the machine saw that account had expired. But, when I looked at the
account properties in Active Directory, the account was set up to never
expire. I simply set the account to expire, applied the settings, set
the account to never expire and applied those settings. I then
shutdown and restarted all the services and all the services started
properly. I am not able to think how I got this state anyone has
experience this before or know how to handle this issue.

Please bear with me, as I am new to AD.

Thanks,
 
J

Jorge Silva

Hi

Usually the service accounts are setup to never expire and the user can't
change password, options, this last one prevents the users/services to
change the password even if the account was setup to never expire.



Probably someone changed the user account.


--
I hop that helps


Good Luck
Jorge Silva
MCSA
Systems Administrator
 
R

Richard Mueller

I have user id to run service, which is domain user id. For some reason
the machine saw that account had expired. But, when I looked at the
account properties in Active Directory, the account was set up to never
expire. I simply set the account to expire, applied the settings, set
the account to never expire and applied those settings. I then
shutdown and restarted all the services and all the services started
properly. I am not able to think how I got this state anyone has
experience this before or know how to handle this issue.

Please bear with me, as I am new to AD.

Thanks,

Hi,

The date an user account in Active Directory expires is determined by the
value of the accountExpires attribute. This is data type Integer8, which is
a 64-bit number. It represents the expiration date (in UTC) as the number of
100-nanosecond intervals since 12:00 AM January 1, 1601.

If an account has never had an expiration date, the system assigns the value
2^63-1 to accountExpires, the largest value possible (Integer8 values can
range from -2^63 to 2^63-1). However, if you assign an expiration date to an
account in Active Directory, then modify the account so it never expires
(select "Never" in ADUC), the GUI assigns the value 0 to the accountExpires
attribute. This means "Never". You can check this with ADSI Edit. However,
if an application blindly converts this value to a date, it gets 1/1/1601. I
can see how this could be misinterpreted as meaning the account is long
expired. This is probably your situation.

Perhaps the proper way to set an account to not expire is to assign the
value -1 to accountExpires, which, because of the way 64-bit numbers are
handled, is equal to 2^63-1. The fix for you might be to use a script to
assign the value -1 to the accountExpires attribute of the account. Given
the Distinguished Name of the account, the following VBScript program would
do it:

Set objUser = GetObject("LDAP://cn=User01,ou=Sales,dc=MyDomain,dc=com")
objUser.Put "accountExpires", -1
objUser.SetInfo
 
D

dmakadia

Richard,

I check this in my AD this account was good for last 2 month and then
after I have to update NIC drive on this server which I don't think has
to do any thing with this problem after 36 hr suddenly service fail on
expired user account. could the way you describe happed suddenly.
Thanks, lot for your help..
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

User Account Expiration 4
AD User Object Properties 4
Expired Account 1
User cannot change password 1
Account Expired ?? 1
Account disapears 2
Active directory 1
Active Directory LDAP PwdLastSet attribute 3

Top