Account expiration dates differ by one day from ADU&C to DRA. (NETIQKB70870)

  • Document ID:7770870
  • Creation Date:08-Jan-2008
  • Modified Date:24-Mar-2008
    • Micro Focus Products:
      Directory and Resource Administrator

Environment

Directory and Resource Administrator 7.x

Directory and Resource Administrator 8.x

Situation

Account expiration dates differ by one day from ADU&C to DRA.
Why does DRA display the account expiration date of an account one day ahead of native tools?

Resolution

Directory and Resource Administrator (DRA) is able to set the account expiration for a User account not just to a particular date, but also to a particular time.  Native tools (ADU&C) only provides for the ability to specify a date.  Further, when you set an account to expire natively, it is really set to expire at the "End of" whatever date you specify.  Meaning, that the account will be expired within the first hour of the next day.  Microsoft literally implies that any account expiration set will expire at the end of that day or at the end of 11:59:59 PM.

Because DRA allows you to specify not just a date, but also a time to expire the account, it will always translate in native tools as one day prior because of the "End of" day translation Microsoft uses for display purposes.

DRA shows the exact expiration time in the consoles. Therefore, the date values will never be exactly the same as native tools.  The value is set/retreived as UTC and displayed in the client's local time zone. It also sets that value in UTC when it is changed.

When an Admin uses ADU&C to change the expiration date from never to a specific date, he can expect the account to expire at the end of the date set.  That will happen between midnight of the date set and 1:00 AM of the next day depending upon the time of year.  DRA's default, when going from never to a date, is to set the expiration to occur at 11:59 PM of the specified date.  However, and this typically causes some confusion is the way DRA displays the account expiration if the expiration was set natively and NOT using DRA.  If an account is set to expire at the end of a specific day, DRA will display the account expiration as 12:00 AM of the next day - within the first minute of the next day.  Native tools may still actually expire the account anytime within an HOUR of it's "End of" setting.  So it is possible that an account can be active beyond the account expiration date displayed in DRA, but by no more than 59 minutes.

Cause

This is by design.

Additional Information

Formerly known as NETIQKB70870