Active Directory Account Expiration

bvarian
Mega Contributor

Using the Create AD Object, I'm building a workflow for creating a new AD user.  My company has a rule that requires these accounts to have an Expiration Date set.

I'm using a script to build the scratchpad variables.

Using Josh Virelli's guideline found in this useful posting, I've defined the value (the field on my Service Catalog Form is "expiration_date" and it prompts entry in the MM/DD/YYYY format):

var endDateGDT = new GlideDateTime(current.variables.expiration_date);
var accountExpires = (endDateGDT.getNumericValue()*10000) + (11644473600000 * 10000);

 

I then create my scratchpad variable from that value:

workflow.scratchpad.accountExpires = current.variables.accountExpires;

 

Then later in my script, I attempt to write the value to AD thusly:

var object = "{ ";

<<<note - there are other AD field values successfully being written inside this set of brackets as well>>>

object += '"accountExpires" : "' + workflow.scratchpad.accountExpires + '" , ';

object += "}";

 

 

I'm getting an error stating:

The attribute syntax specified to the directory service is invalid.

HRESULT: [-2147016693]

Stack Trace: at System.DirectoryServices.DirectoryEntry.CommitChanges()
at CommitChanges(Object , Object[] )
at System.Management.Automation.DotNetAdapter.AuxiliaryMethodInvoke(Object target, Object[] arguments, MethodInformation methodInformation, Object[] originalArguments)

 

Has anyone made this work?  There are two methods for this that would be acceptable:

1.  Preferred:  Behind the scenes, the scratchpad variables script simply does a get of the current GDT, adds 90 days to whatever it is, and passes that +90 date forward to the AD user object's expiration date field.

2.  Acceptable but Imperfect:  The Service Catalog form prompts the person to enter an expiration date (MM/DD/YYYY or whatever format it would like) that's no more than 90 days from the current date.  This is a good-faith method, but our folks would follow it well.

 

Thanks!

2 REPLIES 2

Ankur Bawiskar
Tera Patron
Tera Patron

Hi,

I think you cannot set that attribute while creating AD object; but set it using update AD object

I used the below powershell script for user1 as samaccountname

Set-ADAccountExpiration "user1" -DateTime "02/20/2020"

The date should be in this format

var termDate = month+'/'+day+'/'+year;

This has worked for me.

Mark Correct if this solves your issue and also mark Helpful if you find my response worthy based on the impact.
Thanks
Ankur

Regards,
Ankur
Certified Technical Architect  ||  9x ServiceNow MVP  ||  ServiceNow Community Leader

George Razbash1
Kilo Contributor

@bvarian  THANK YOU. GOLD!