Expiring Active Directory Groups

RobertKaucher · February 2013

We have a cross forest trust between two domains. In the foreign domain we have no administrative control. We need a way to expire access to certain user accounts from the foreign domain. I can quite easily write a PowerShell script that handles this and runs as a scheduled task or even as a SQL Server job. But I would like to know how others have handles this sort of issue.

nycid · February 2013

Your trying to expire the accounts you do have access too? Or accounts in the foreign domain. If its the one you have access to simply put an expiration date on the user account in question.

RobertKaucher · February 2013

As per the subject I am setting an expiration on an AD GROUP, not account, within the domain I have administrative control over. Or at the very least expire access to specific resources from specific accounts (not all resources as would occur with the built in account-based AD methodology).

I am aware you can set expiration on individual accounts but as I stated I do not have administrative control in the domain in which those accounts exist. The best solution I have been able to come up with is a PoshScript that removes everyone from the group in question on the date it is set to expire.

There is no built in way to accomplish this. I am interested in knowing if anyone else has had to address this problem in a cross forest, cross domain situation - and if so, what they have done.

crrussell3 · February 2013

I have seen a few third party tools that will allow you to do this, but unless it takes up a lot of your time, I wouldn't think the cost and/or management of said tools would be better than a Posh script on a scheduled task.

Expiring Active Directory Groups

Comments