Set AD AccountExpire after one year after the creation

Identity Security Cloud (ISC) ISC Discussion and Questions
, ,
1

Hi,

I would like to understand how to set the “AccountExpire” attribute of Active Directory to year after its creation. Is it possible to do it through a simple transform or do I need to use a cloud rule? Do you have any examples to share?

Thanks a lot

2

Assuming you want to set that only at creation, you can add a small transform to the create profile / policy. This transform can do a ‘dateMath’ operation where you use something like now()+1y

Please follow the following documentation and experiment with this:

1 Like
3

Hi @vcarelli, in addition to what @sauvee mentioned

Yes, you can absolutely achieve this using only a transform “no Cloud Rule needed”.

SailPoint recommends setting the accountExpires attribute as a string, formatted in Windows FileTime (EPOCH_TIME_WIN32). To set it to 1 year after account creation, you can use a chained transform like this:


{
  "type": "dateFormat",
  "attributes": {
    "input": {
      "type": "dateMath",
      "attributes": {
        "expression": "+1y",
        "roundUp": true
      }
    },
    "inputFormat": "yyyy-MM-dd'T'HH:mm",
    "outputFormat": "EPOCH_TIME_WIN32"
  }
}

This will:

  • Add 1 year to the current date
  • Format it as a Windows FileTime string, which AD expects for the accountExpires field, while AD technically accepts it as an integer too, SailPoint recommends using the string format for consistency and compatibility.
1 Like
4

this is definitely the right way to go. a couple of words of warning, though:

  1. do not set an identity attribute for this… otherwise it will recalculate for everyone every refresh, and this will slow down your refreshes and clutter your Access History views.
  2. this will only work for newly-created accounts. accounts that were previously disabled and are being reactivated (rehires, etc) will not have their expiration date updated.
  3. this does not provide a mechanism by which managers can extend their contractors’ expiration dates.
1 Like
5

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.