Security

Reply
Occasional Contributor II
Posts: 17
Registered: ‎04-19-2015

CPPM Check AD Account Expiry

I need to setup a Service to authenticate AD users with User/Computer Certificates. I need to check both if the account is expired and disabled. I have setup new the auth source to check the account status and verify it does not matches 66050 but i cannot work out how to check if the account is expired. I need something like: If account expiry equals greater than current time.

 

So far i have:

 

(Authorization:<domain>:Account Status  NOT_EQUALS 66050)
AND  (Authorization:<domain>:Account Expires  ??  ????)

Guru Elite
Posts: 8,329
Registered: ‎09-08-2010

Re: CPPM Check AD Account Expiry

You shouldn't need both. If an account expires, it is disabled.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 17
Registered: ‎04-19-2015

Re: CPPM Check AD Account Expiry

[ Edited ]

I used the attribute browser and had a look:

 

UserAccountControl=66050 when it was disabled and expired

UserAccountControl=66048 when it was just expired

UserAccountControl=66048 when not expired or disabled

 

accountExpires=0 when not expired

accountExpires=xxxxxxxxx (long number of ticks which equal date of expiry) when expired

It looks like i cant use UserAccountControl to check for expiry. :(

Search Airheads
Showing results for 
Search instead for 
Did you mean: