AD User accounts set to expire after being viewed in the Web Console

  • 7022446
  • 08-Dec-2017
  • 16-Oct-2018

Environment

NetIQ Directory & Resource Administrator 9.1.0.0
NetIQ Directory & Resource Administrator 9.1.1.0
NetIQ Directory & Resource Administrator Rest Services 9.x

Situation

Why do user accounts seem to expire after editing them? Why are AD accounts expiring seemingly at random? After using the Web Console, why is there an expiration date set for accounts? Is the Web Console causing users to expire setting them to do so?

Resolution

DRA 9.1.1.1 and newer has provided a code change for this issue. The following steps may still act as a workaround for the issue while waiting to apply the hotfix.
  1. Select the User in question.
  2. Open the Property Page, and navigate to the Account tab.
  3. Notice that the Ok and Apply buttons are already active.
  4. Accept the change and then open the Account tab a second time.
  5. Check the 'Not Set' box by Account Expiration and accept the change.

Please Note: By manually going back into the properties for this user, and checking this box (or disabling the expiration via ADU&C or D&C Console) this user's Account tab will no longer attempt to uncheck the "Not Set" when viewing the Account tab.

Cause

The reason this occurred is because the Web Client is converting the current value for Account Expiration date to GMT. By doing this, the Ok/Apply buttons are enabled. Clicking either of the now enabled buttons to accept the change causes the Expiration to get set as well. Now the account is set to expire in x days.

Additional Information

This issue has been fixed within DRA 9.1.1.1 and newer. The change will only prevent the issue from occurring again, and will not modify any account that have a previously set expiration date. DRA 9.1.1.1 and newer will only prevent the expiration from accidentally being set in this manner, but will not go back to see which accounts are already expiring or not.