Occasional Contributor II

CPPM Check AD Account Expiry

I need to setup a Service to authenticate AD users with User/Computer Certificates. I need to check both if the account is expired and disabled. I have setup new the auth source to check the account status and verify it does not matches 66050 but i cannot work out how to check if the account is expired. I need something like: If account expiry equals greater than current time.


So far i have:


(Authorization:<domain>:Account Status  NOT_EQUALS 66050)
AND  (Authorization:<domain>:Account Expires  ??  ????)

Guru Elite

Re: CPPM Check AD Account Expiry

You shouldn't need both. If an account expires, it is disabled.

| Tim Cappalli | Aruba Security | @timcappalli | |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Occasional Contributor II

Re: CPPM Check AD Account Expiry

I used the attribute browser and had a look:


UserAccountControl=66050 when it was disabled and expired

UserAccountControl=66048 when it was just expired

UserAccountControl=66048 when not expired or disabled


accountExpires=0 when not expired

accountExpires=xxxxxxxxx (long number of ticks which equal date of expiry) when expired

It looks like i cant use UserAccountControl to check for expiry. :(

Search Airheads
Showing results for 
Search instead for 
Did you mean: