Security

last person joined: 23 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

CPPM Check AD Account Expiry

This thread has been viewed 3 times

  • 1.  CPPM Check AD Account Expiry

    Posted Aug 31, 2016 12:49 AM

    I need to setup a Service to authenticate AD users with User/Computer Certificates. I need to check both if the account is expired and disabled. I have setup new the auth source to check the account status and verify it does not matches 66050 but i cannot work out how to check if the account is expired. I need something like: If account expiry equals greater than current time.

     

    So far i have:

     

    (Authorization:<domain>:Account Status  NOT_EQUALS 66050)
    AND  (Authorization:<domain>:Account Expires  ??  ????)



  • 2.  RE: CPPM Check AD Account Expiry

    EMPLOYEE
    Posted Aug 31, 2016 12:51 AM
    You shouldn't need both. If an account expires, it is disabled.


  • 3.  RE: CPPM Check AD Account Expiry

    Posted Aug 31, 2016 01:03 AM

    I used the attribute browser and had a look:

     

    UserAccountControl=66050 when it was disabled and expired

    UserAccountControl=66048 when it was just expired

    UserAccountControl=66048 when not expired or disabled

     

    accountExpires=0 when not expired

    accountExpires=xxxxxxxxx (long number of ticks which equal date of expiry) when expired

    It looks like i cant use UserAccountControl to check for expiry. :(