Announcement

Collapse
No announcement yet.

Difference Between Disabled Account and Expired Account

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Difference Between Disabled Account and Expired Account

    Hi,
    Can you tell me what is the difference between the disabled account and expired account in Active Directory?

    Thanks

  • #2
    Re: Difference Between Disabled Account and Expired Account

    Originally posted by premglitz View Post
    Hi,
    Can you tell me what is the difference between the disabled account and expired account in Active Directory?

    Thanks
    In what particular context are using asking this question? You would usually disable an account if someone has left the org, account is no longer needed, etc. This is a MANUAL process.

    An expired account esentially disables itself once the expiry date has been reached.


    Sorry I cant be more specific, maybe if you could elaborate a little bit we could be more helpful.

    Comment


    • #3
      Re: Difference Between Disabled Account and Expired Account

      I suspect this is to assist in your "Interview Questions and Answers" webpage.

      A strange Question to ask coming from a MCSA

      Anyway I agree with the previous answer. You have to manually disable accounts, an expired account disables automatically.

      See account expires option in the Account tab in user properties.
      It can be set to "never" or a date can be inserted.

      Account is Disabled is a tickbox in the account options.
      MCP 2003, XP, MCP Exchange 2003, Sonicwall CSSA, ITIL V3

      Comment


      • #4
        Re: Difference Between Disabled Account and Expired Account

        Hi,
        This is the question asked by my manager to me, i told the answers of Ryzz and fergie. but he told me that some thing more than important point is left. he told me to search for that. i searched on Web but i cant find that.
        Thats why i came here back.
        I Think some changes may happen in LDAP.
        Can anybody guide me on this....!

        Thanks and answers are more appreciable.

        Comment


        • #5
          Re: Difference Between Disabled Account and Expired Account

          Ok I see, sounds to me like your managers messing you about. Acting the big man as it were......

          Glad, your not so busy and your manager feels your time is best spent seacrching the web for useless info.

          Why dont you ask him / her to put us out of our misery with his infinite wisdom and tell us the difference.

          If not you may find your answer here.

          http://www.microsoft.com/technet/scr....mspx?mfr=true

          Exapnd - User Scripts\Active Directory\User Accounts\User Account Status

          Or this may be relevant....

          There are separate flags for "password expired" and "account disabled" in
          the AD userAccountControl flag as detailed here:
          http://support.microsoft.com/defau [...] winsvr2003

          Using the table described in the URL,

          an account is disabled IF RIGHT(HEX(userAccountControl),1) = "2", "3", "A",
          or "B".

          an account has an expired password IF
          EITHER LEN(HEX(userAccountControl)) = 6 AND
          LEFT(HEX(userAccountControl),1) = "8", "9", "A", "B", "C", "D", "E", or "F" )
          OR (LEN(HEX(userAccountControl)) = 7 AND
          MID(HEX(userAccountControl),2,1) = "8", "9", "A", "B", "C", "D", "E", or
          "F" )


          Good Luck.
          Last edited by fergie; 7th July 2009, 13:58. Reason: Update to previous answer...
          MCP 2003, XP, MCP Exchange 2003, Sonicwall CSSA, ITIL V3

          Comment


          • #6
            Re: Difference Between Disabled Account and Expired Account

            Well Prem?

            Did you ever find out what the difference was Between Disabled Account and Expired Account?

            I'm curious?????
            MCP 2003, XP, MCP Exchange 2003, Sonicwall CSSA, ITIL V3

            Comment


            • #7
              Re: Difference Between Disabled Account and Expired Account

              Maybe different values within the userAccountControl attribute and msDS related attributes.
              This article can give more insight; http://www.informit.com/articles/art...74649&seqNum=3

              By reading the attribute values you can determine if it was manually disabled or if had expired.
              Caesar's cipher - 3

              ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

              SFX JNRS FC U6 MNGR

              Comment


              • #8
                Re: Difference Between Disabled Account and Expired Account

                Thanks L4Andy, thats a great website, I'm not sure if it's what Prem was looking for, but best guess its very close......

                Its relevant for me nonetheless, thanks again.
                MCP 2003, XP, MCP Exchange 2003, Sonicwall CSSA, ITIL V3

                Comment


                • #9
                  Re: Difference Between Disabled Account and Expired Account

                  Sorry Fergie, I just noticed now that you've already touched that in your previous post.
                  Caesar's cipher - 3

                  ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

                  SFX JNRS FC U6 MNGR

                  Comment


                  • #10
                    Re: Difference Between Disabled Account and Expired Account

                    I was really hoping Prem would shed some light on it though, what I thought was a benign post could perhaps turn into something relevant.

                    The website you referred too is a great resource all the same.
                    MCP 2003, XP, MCP Exchange 2003, Sonicwall CSSA, ITIL V3

                    Comment


                    • #11
                      Re: Difference Between Disabled Account and Expired Account

                      When you have expired account, you can login with your expired pw to the domain, and you will be notified that your password is expired and that you have to change it.

                      Disabled accounts cannot do that.

                      Comment


                      • #12
                        Re: Difference Between Disabled Account and Expired Account

                        That happens when the password has expired. An expired-account I take as being the state of an account that had dates assigned, so it can't be used after that date. e.g. For temporary employees etc.

                        Comment


                        • #13
                          Re: Difference Between Disabled Account and Expired Account

                          Originally posted by Virtual View Post
                          That happens when the password has expired. An expired-account I take as being the state of an account that had dates assigned, so it can't be used after that date. e.g. For temporary employees etc.
                          ah yes, my bad then, didn't read the post carefully. Should do that in the future

                          Comment


                          • #14
                            Re: Difference Between Disabled Account and Expired Account

                            No worries. I was thinking the same myself initially. I never used the feature myself, so it's natural to think about expired password accounts.

                            Comment


                            • #15
                              Re: Difference Between Disabled Account and Expired Account

                              Some differences with expired accounts vs. disabled accounts:

                              Expired account - If an account has a date assigned that it will expire and that date has not yet come or passed then the user can still login.

                              An Expired Password - If you have exceeded the time allowed for your password to remain the same you may have an expired account. An account with this status will let you login but you will need to change your password after the login process is complete, or at the end of that process.

                              A Disabled account is one which the expiration date has been reached for the account to remain active or one in which someone has manually disabled the account in AD. You can not login once your account has been disabled. The account can be re-enabled by someone with administrator rights.

                              There is also a "locked account" which can't be done manually but instead results from a group policy. Typically this is from a password being typed incorrectly a certain number of times, but there are other policies that can be created that can lock an account. This can be undone in AD by unchecking the "Account is locked" line.

                              Tim Macking
                              Consultant - MCSE, MCSA, MCDBA, MCITP, MCTS, MCP, MCT, CCNA
                              St. Petersburg, FL USA

                              Comment

                              Working...
                              X