Set AD account expiration date via orchestration

Shannon Burns · ‎07-20-2017

I tried setting the account expiration date of an AD account via orchestration, but am getting an error

I can confirm via workflow context that the userid field is the username in AD and the 'end' variable is set to a date in MM/DD/YYYY format.

Anyone know what I'm doing wrong? The error I'm getting is

Thanks,
Shannon

Shannon Burns · ‎08-24-2017

I was not able to do it with the built in update AD object. I was able to set it using the custom Powershell script object.

The things to note for that are:

You have to run the custom powershell with a target OTHER THAN the MID server
When I did that I was still having trouble because my account didn't have access to connect to the domain controller to run the command
- I was able to perform the actions using an account that was a domain admin. We hope to revisit this and scale back those permissions, but it was the fastest solution for our compressed implementation timeframe

Hope that helps

Shannon

View solution in original post

Shannon Burns · ‎08-24-2017

I was not able to do it with the built in update AD object. I was able to set it using the custom Powershell script object.

The things to note for that are:

You have to run the custom powershell with a target OTHER THAN the MID server
When I did that I was still having trouble because my account didn't have access to connect to the domain controller to run the command
- I was able to perform the actions using an account that was a domain admin. We hope to revisit this and scale back those permissions, but it was the fastest solution for our compressed implementation timeframe

Hope that helps

Shannon

Josh Virelli · ‎10-02-2017

Hi Shannon,

I was able to find a way to convert dates without using a PowerShell command to set the accountExpires attribute (or any Integer8 attribute in Active Directory) and wanted to post here to help you and any other future developers because I couldn't find an answer.

ServiceNow's GlideDateTime Server API has a method called getNumericValue() which gets the number of milliseconds since January 1, 1970. Active Directory uses the Integer8 or FILETIME format which is the number of 100 nanoseconds intervals since January 1, 1601. So we just have to find the static value of milliseconds between the two dates (Jan 1, 1601 and Jan 1, 1970) which is 11644473600000 and multiply that by 10,000 to get it into 100 nanosecond intervals. And then we take the value returned by the getNumericValue() method and multiply it by 10,000 to get its value in 100 nanosecond intervals. Add the two values together and voila, you've got your date. In an example script it looks like this, just replace "yourEndDateVariableName" with the variable from your form:

var endDateGDT = new GlideDateTime(current.variables.yourEndDateVariableName)


var accountExpires = (endDateGDT.getNumericValue()*10000) + (11644473600000 * 10000)

Just be aware that this will set accountExpires to Dec 31, 1969 if you don't put in an End Date because we are adding that static value to get from 1601 to 1970, so add an If statement to check for an End Date.

Hope this helps!

Josh

nate_engstrom · ‎06-10-2020

Hello Josh,

I'm not sure if this is the right number (11644473600000) because when I do this it is a couple of days off when I set the expiration date in my form to what is set in AD. I tried to calculate this value myself and came up with (11643609600000) but this value is more wrong than yours.

How exactly did you come up with that number?

Thanks,

Nate

Josh Virelli · ‎06-10-2020

Hey Nate,

Not entirely sure if I calculated this myself, or found it online somewhere those three years ago. If you google that number (i.e. 11644473600000), you'll find other resources mentioning it for converting FILETIME to Unix.

Make sure you are multiplying it by 10000 as I showed above

var accountExpires = (endDateGDT.getNumericValue()*10000) + (11644473600000 * 10000)

Good luck!

-Josh