none
Account expired and Account Disabled. What is the difference?

    Întrebare

  • In Active Directory, under Account tab of the User properties in ADUC, there are two options to disable a account. By checking the Account Disable box or by specifying a account expiry date. But what is the difference between these two options, other than account disable will take effect immediately and account expires take effect once the specified time period is reached. In both cases, the accounts remain in AD and users won't be able to logon using those accounts. Why Microsoft has given two different options? Why not have only account disable with an option to specify the time to disable the account?

    Or, is there any other difference between a locked out account and expired account?

    22 iunie 2012 06:55

Răspunsuri

  • You can disable the account immediately, if you find somebody is misusing the account or user left the organization & there is certainty he mights comes back. There is attempt to login is coming from the same account & user is saying he is not using again you can disable the account to find the reason for such occurrence.

    Account expiry date is used for automation, consider you give an AD account to the temporarily to the vendor but you might forget to disable it when his job is done. In this case someone might use this account for mischief, so you will automate that after this period of the account it is automatically disabled.

    Account is locked by failed logon, someone is playing mischief to lock your account where as expired account is normally used for the contractor or vendor to deactivate the account after specified period of time.


    Awinish Vishwakarma - MVP - Directory Services

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    22 iunie 2012 09:12
    Moderator
  • Hello,

    Please read this link:

    Difference Between Account Types

    Regards

    22 iunie 2012 07:11
  • Hello,

    disabled is done manual and permanent setting. If you have a position that is valid at the moment but you know a person will takeover. So you don't have to work with expiry dates, just enable/disable and you are done.

    Expired will happen if the configured date is ending at 24:00, after that time the user is not able to logon, so helpful if you have users that are only there for some weeks and then should not be able to logon again, without controlling every day if it must be disabled.

    locked out is an account if the user types too many times a wrong password based on your policy settings.


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    22 iunie 2012 08:14

Toate mesajele

  • Hello,

    Please read this link:

    Difference Between Account Types

    Regards

    22 iunie 2012 07:11
  • Hello,

    disabled is done manual and permanent setting. If you have a position that is valid at the moment but you know a person will takeover. So you don't have to work with expiry dates, just enable/disable and you are done.

    Expired will happen if the configured date is ending at 24:00, after that time the user is not able to logon, so helpful if you have users that are only there for some weeks and then should not be able to logon again, without controlling every day if it must be disabled.

    locked out is an account if the user types too many times a wrong password based on your policy settings.


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    22 iunie 2012 08:14
  • You can disable the account immediately, if you find somebody is misusing the account or user left the organization & there is certainty he mights comes back. There is attempt to login is coming from the same account & user is saying he is not using again you can disable the account to find the reason for such occurrence.

    Account expiry date is used for automation, consider you give an AD account to the temporarily to the vendor but you might forget to disable it when his job is done. In this case someone might use this account for mischief, so you will automate that after this period of the account it is automatically disabled.

    Account is locked by failed logon, someone is playing mischief to lock your account where as expired account is normally used for the contractor or vendor to deactivate the account after specified period of time.


    Awinish Vishwakarma - MVP - Directory Services

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    22 iunie 2012 09:12
    Moderator
  • There is but one additional doubt here and it is as follows:

    When one (manually) disables an account it could be enabled again without loosing account ID.

    When one's account expires, is account (with its ID) removed from the list of users (so it cannot be enabled again) or it is merely disabled as if it is disabled manually?

    If account is deleted this is BIG difference because ID cannot be recreated again.



    • Editat de ljgww 28 iulie 2014 12:38
    28 iulie 2014 12:34
  • There is but one additional doubt here and it is as follows:

    When one (manually) disables an account it could be enabled again without loosing account ID.

    When one's account expires, is account (with its ID) removed from the list of users (so it cannot be enabled again) or it is merely disabled as if it is disabled manually?

    If account is deleted this is BIG difference because ID cannot be recreated again.




    Even if an account has expired, it can be set to "Never expire" or have a new expire date set in the future, both options will make the account available for login/authentication. The account dose _not_ get deleted once it expires.  

    Enfo Zipper
    Christoffer Andersson – Principal Advisor
    http://blogs.chrisse.se - Directory Services Blog

    28 iulie 2014 15:50