User Logon and Account Expiration Date

Giganews Newsgroups
Subject: User Logon and Account Expiration Date
Posted by:  Ralf (Ra…@discussions.microsoft.com)
Date: Wed, 17 Dec 2008

Hi,

I have come accross a problem with the "Account Expiration Date" and I am
seeking clarification on how the "Account Expiration Date" is evaluated when
a user account logs on to our domain.

From previous reading, I learned that "Account Expiration Date" is stored in
UTC in AD. I have also learned that setting this date via ADUC mmc does not
result in an exact (can be any time during the following day) nor consistent
fashion (depending on the time zone of the the DC on which I set the date).

Therefore,in order to consistently set the date and also set the exact time
of the day, I now set this date via script. The script adjusts for the time
of the computer from which it is executed and hence no matter where I run the
script from, I am always ending up with the exact "Account Expiration Date"
stored in AD that I want.

I always set the date to "Midnight" e.g. #16-Dec-2008 00:00#.

The idea behind that is that I am running a script on a DC at 00:05 everyday
which checks for expired accounts and automatically performs various actions
with these accounts. E.g. running the script on 17-Dec-2008 at 00:05 will
process any account with an earlier expiration date.

All of this works fine.

However, when I use my script to set the date to e.g. #16-Dec-2008 00:00#,
it shows up on my DC in the US (EST) in ADUC mmc as 14-Decemeber-2008.

I understand why it does that but now comes my problem: I then had a user in
the US (EST) trying to lo into his computer on 15-Dec-2008 local time in the
morning and the user was unble to do that.

My sciript that I use to retire user accounts did not process the account
yet which was the right thing but apparently the user was not able to log in
as the ADUC mmc shows the date of 14-DEC-2008 and hence logon was denied on
15-Dev-08.

So does the user logon process convert the date stored in the AD attribute
"accountExpires" back into local time instead of using the UTC date stored in
AD? Does anyone know/ understand this?

Why would the logon process translate the UTC date back into local time?

Your thoughts?

Thanks for your help,

Ralf

Replies