Active Directory – Setting a user account expiry to a specific date and time

There may come a time when an account will need to be deactivated or rendered inaccessible with a high level of specificity. For example if a member of staff that is leaving the company when IT are unable to action the account.

There is a setting in Active Directory on the Accounts tab called Account expires. Sadly, the Active Directory interface only allows the selection of a date. That said, there is a way of making the value a little more accurate.

Before Powershell, it was necessary to convert our deactivation date for the account into a format that Active Directory is capable of understanding. This is because the related attribute is a value representing the number of 100-nanosecond intervals since January 1, 1601 (UTC).

We could use the command line and run to convert the accountExpires attribute to a readable date:

w32tm.exe /ntte 132331464013469747

The result being:

153161 10:00:01.3469747 - 05/05/2020 11:00:01

The first half of the result being the date and time in GMT and the second half being the system time, mine his British Summer Time which is an hour ahead of GMT.

However, that is the reverse of what we need and a digression from the topic. We are not trying to discover an expiry date, we are trying to set a more accurate one. To do this, we use a simple one line Powershell command:

Set-ADAccountExpiration -Identity UserID -DateTime "05/06/2020 19:00"

Replace the UserID with the actual account name and this will set an account expiry date and time of the 5th June 2020 at 7pm. You should be aware that the date format that is used is local and the above is in the UK format.