Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry. Saviynt Copilot Icon
This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Set accountExpires in AD to today +90 days

frayang
New Contributor
New Contributor

‎05/31/2024 04:52 AM

Hi all,

We have a requirement for setting AD attribute accountExpires to today()+90 days while enabling a disabled account in AD.

Have you worked on it before? If so, could you share your configuration/syntax with us? Thanks

 

-Fran

Labels:
0 Kudos
8 REPLIES 8

armaanzahir
Valued Contributor
Valued Contributor

‎05/31/2024 08:22 AM

Hi @frayang 

 

Can you try the below code:

"accountExpires": "${(Calendar.getInstance().getTimeInMillis() + 7776000000 + 11644473600000L)* 10000L}"

 

https://forums.saviynt.com/t5/identity-governance/account-expires-as-current-date-in-ad/m-p/40603

 

 

Regards,
Md Armaan Zahir
0 Kudos

Raghu
All-Star
All-Star

‎05/31/2024 08:40 AM

@frayang  try below

"accountExpires": "${(Calendar.getInstance().apply { add(Calendar.DAY_OF_YEAR, 90); set(Calendar.HOUR_OF_DAY, 0); set(Calendar.MINUTE, 0); set(Calendar.SECOND, 0); set(Calendar.MILLISECOND, 0); }.getTimeInMillis() + 11644473600000L) * 10000L}"

 


Thanks,
Raghu
If this reply answered your question, Please Accept As Solution and hit Kudos.
0 Kudos

Kriti
New Contributor
New Contributor

‎06/07/2024 05:01 AM

Can accountExpires attribute be updated to today + 90 days via EnableAccountJSON?

We are setting it like in EnableAccountJSON attribute : 

"accountExpires": "${user.employeeType.equalsIgnoreCase('employee') || user.employeeType.equalsIgnoreCase('subcontractor')? (Calendar.getInstance().getTimeInMillis() + 7776000000 + 11644473600000L)* 10000L : ''}

But the task is not completing giving below error

Error enabling account in ADSI: { "status": "Failure", "failedObjects": [ { "id": "${account.accountID?.replace('\\', '\\\\')?.replace('/', '/')}", "status": "Failure", "message": "${account.accountID?.replace('\\', '\\\\')?.replace('/', '/')} does not exist.", "messageCodes": "OBJ_ERR_MSG_00002" } ], "connectionString": "LDAP://uslas0-inf008.jacobs.com:636" }

Same is working in updateAccountJson and if accountExpires is not defined in enableAccountJSON, enable account task processes successfully.

0 Kudos

rushikeshvartak
All-Star
All-Star
In response to Kriti

‎06/07/2024 05:27 AM

Share full json


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.
0 Kudos

Kriti
New Contributor
New Contributor

‎06/07/2024 05:31 AM

EnableAccountJSON

{
"objects": [
{
"objectClasses": [
"user"
],
"distinguishedName": "${account.accountID?.replace('\\', '\\\\')?.replace('/', '\/')}",
"moveObjectToOU": "${user.customproperty21}",
"attributes": {
"userAccountControl": 512,
"extensionAttribute1": "${user.employeeType}",
"extensionAttribute6": "${user.country}",
"extensionAttribute3": "${user.location}",
"extensionAttribute13": "${user.customproperty4}",
"extensionAttribute9": "${user.customproperty2}",
"physicalDeliveryOfficeName": "${user.location}",
"description": "${user.jobDescription}",
"accountExpires": "${user.employeeType.equalsIgnoreCase('employee') || user.employeeType.equalsIgnoreCase('subcontractor')? (Calendar.getInstance().getTimeInMillis() + 7776000000 + 11644473600000L)* 10000L : ''}"
}
}
]
}

0 Kudos

rushikeshvartak
All-Star
All-Star
In response to Kriti

‎06/07/2024 05:39 AM

{
"objects": [
{
"objectClasses": [
"user"
],
"distinguishedName": "${account.accountID?.replace('\\\\', '\\\\\\\\')?.replace('/', '/')}",
"moveObjectToOU": "${user.customproperty21}",
"attributes": {
"userAccountControl": 512,
"extensionAttribute1": "${user.employeeType}",
"extensionAttribute6": "${user.country}",
"extensionAttribute3": "${user.location}",
"extensionAttribute13": "${user.customproperty4}",
"extensionAttribute9": "${user.customproperty2}",
"physicalDeliveryOfficeName": "${user.location}",
"description": "${user.jobDescription}",
"accountExpires": "${user.employeeType.equalsIgnoreCase('employee') || user.employeeType.equalsIgnoreCase('subcontractor')? (Calendar.getInstance().getTimeInMillis() + 7776000000 + 11644473600000L)* 10000L : ''}"
}
}
]
}


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.
0 Kudos

Kriti
New Contributor
New Contributor

‎06/07/2024 05:43 AM

The issue is not with distinguisedName

If I remove accountExpires from the above json and keep "distinguishedName": "${account.accountID?.replace('\\', '\\\\')?.replace('/', '\/')}" enable account task completes successfully, it only fails when accountExpires attribute is added

0 Kudos

rushikeshvartak
All-Star
All-Star
In response to Kriti

‎06/07/2024 05:53 AM

"accountExpires": "${user.employeeType.equalsIgnoreCase('employee') || user.employeeType.equalsIgnoreCase('subcontractor') ? new Date().getTime() + (90 * 24 * 60 * 60 * 1000) + 11644473600000 : '0'}"


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.
0 Kudos
Copyright © 2024 Khoros, LLC