Register Sign in Need help? FAQ SailPoint directory
Help
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How to set accountexpires value on Active Directory

How to set accountexpires value on Active Directory

Symptoms

Many times IIQ developer facing an issue to set accountexpires active directory application attribute value via beanshell code.

Please find below solution for setting accountexpires, pwdLastSet,accountExpires, LastLogon, LastLogonTimestamp, and LastPwdSet value using beanshell code.

 

Diagnosis

The expected timestamp required for the accountexpires AD attribute is the 18-digit Active Directory timestamps, also named 'Windows NT time format', 'Win32 FILETIME or SYSTEMTIME' or NTFS file time. These are used in Microsoft Active Directory for pwdLastSet, accountExpires, LastLogon, LastLogonTimestamp, and LastPwdSet. The timestamp is the number of 100-nanosecond intervals (1 nanosecond = one billionth of a second) since Jan 1, 1601 UTC.

 

Solution

Please find below solution to calculate pwdLastSet, accountExpires, LastLogon, LastLogonTimestamp, and LastPwdSet from String value.

 

import java.time.LocalDate;
import java.time.Month;
import java.util.Calendar;
import java.util.TimeZone;

/**
	 * This method will convert date into the 18-digit Active Directory timestamps,
	 *  also named 'Windows NT time format', 'Win32 FILETIME or SYSTEMTIME' or NTFS file time
	 * @param terminationDate
	 * @return ldapTimeStamp
	 */
	public String getAcccountExpiresValue(String terminationDate) {
		// "2020-07-18" - example date
		String ldapTimeStamp = "never";

		if (null != terminationDate && !"never".equalsIgnoreCase(terminationDate)) {

			LocalDate currentDate = LocalDate.parse(terminationDate);
			// Get day from date
			int day = currentDate.getDayOfMonth();
			// Get month from date
			Month month = currentDate.getMonth();
			// Get year from date
			int year = currentDate.getYear();
			// Print the day, month, and year
			System.out.println("Day: " + day);
			System.out.println("Month: " + month.getValue());
			System.out.println("Year: " + year);
			Calendar c = Calendar.getInstance(TimeZone.getTimeZone("UTC"));
			c.clear();
			c.set(year, month.getValue(), day); // your date
			long time1 = c.getTimeInMillis();
			c.set(1601, 1, 1);
			long time2 = c.getTimeInMillis();
			long ldap = (time1 - time2) * 10000;
			System.out.println(ldap);
			ldapTimeStamp = Long.toString(ldap);

		}
		return ldapTimeStamp;
	}

 

 

You can validate the ldaptimestamp or the return String is correct or not follow below steps -

  1. Run the code.
  2. Get the string value.
  3. Open the link in browser - https://www.epochconverter.com/ldap 
  4. Copy the output of string & paste it on converter.
  5. And press the button to convert.
  6. You will see the output as Date format on webpage.
  7. Please check the below image.

LdapTimeStamp.JPG

 

Please let me know if any one have any questions!!

Thanks,

IAM PDU

Comments
A_Desai
‎Sep 23, 2021 10:29 AM
‎Sep 23, 2021 10:29 AM

@IAMpdu 

This is very helpful. Thank you for posting it.

Current code assumes 12:00:00AM as time when converting the input date. If we have specific need to use certain time 06:00:00PM (for example), how could we do it? Any suggestions

IAMpdu
‎Sep 23, 2021 10:38 AM
‎Sep 23, 2021 10:38 AM

Hello @A_Desai , 

Try to add 6 hours in ldaptime(in form of millsec - which is equal to 21600000 ).

long ldap = (time1 - time2) * 10000 + 21600000;

 

Please let me know if you have question.

Thanks,

IAMPDU

IAMpdu
‎Sep 24, 2021 08:56 AM
‎Sep 24, 2021 08:56 AM

Hello @A_Desai ,

Ignore the above reply.

You just need to add below line of code 

c.add(Calendar.HOUR_OF_DAY, <int hour>);
//Eg
c.add(Calendar.HOUR_OF_DAY, 6);

before below line 

long time1 = c.getTimeInMillis();

Thanks,

IAM-PDU

 

shivani697
‎Jan 07, 2022 01:52 AM
‎Jan 07, 2022 01:52 AM

This is helpful. Thanks for posting!

pholdridge
‎Mar 13, 2023 10:49 PM
‎Mar 13, 2023 10:49 PM

If just setting the initial accountExpires attribute when creating the account, a simple Date Format transform does the trick. Add the attribute to your source's AD create account XML. Map it to the end date attribute in the identity profile with the transform below. Change the input format to your needs.

    "name": "AB_EPOCH_TIME_WIN32_Convert",
    "type": "dateFormat",
    "attributes": {
        "inputFormat": "MM/dd/yyyy",
        "outputFormat": "EPOCH_TIME_WIN32"
    },
    "internal": false

To update the attribute later, just sync it on the source.

 

saikumar39
‎Jun 09, 2023 10:44 AM
‎Jun 09, 2023 10:44 AM

Hi @pholdridge ,

 

I have used above code to update accountExpires in AD , Some how it is showing one day before date 

Example : i have given in CSV 12/30/2024,Im getting in AD 12/29/2024 07:00:00 PM 

I wanted to populate same date with 12:00:00 PM .

Can you let me know if you have idea on this ?

 

Thank you,

Saikumar

 

saikumar39
‎Jun 12, 2023 09:15 AM
‎Jun 12, 2023 09:15 AM

Hi @pholdridge ,

 

Can you lease  let me know if you have idea on above scenario  ?

 

Thank you,

Saikumar

pholdridge
‎Jun 15, 2023 10:12 AM
‎Jun 15, 2023 10:12 AM

Yes, this is normal. I believe it translates to "11:59:59 PM" the day before which is practically the next day.

Version history
Revision #:
3 of 3
Last update:
‎Mar 16, 2023 06:33 PM
Updated by:
Community Administrator
 
View Article History
Top