Expired Accounts life cycle

Hi Team.

Just looking for some suggestions on the best way forward.

I have a new user form that is just creating a temp AD user. Very basic account and that account by default has a 21 days account expiry set at creation time.

Now what we are wanting to do is

1) Account created with 21 days until account expires.

2) At 14 and 19 days send an email to the person who created the account with a Keep or Delete approval type email

3) If no response at 21 days then disable the account

4) If person who created the account clicks Keep then the account expiry is extended 21 days

5) If person clicks Delete then the account is automatically deleted

Based on the above do you think this would typically be a single work flow? Would it be easier to put the accounts in a group and have the check performed on the group members?

Just trying to work out the best approach to this.

  • Running as scheduled task does not include a approval so not 100% sure how i can do this 

  • I would use more than one workflow. A scheduled workflow to run daily and check virtual attributes that  contains data such as dates, or days. Then I'd create another workflow based on virtual attribute changes, then initiate the approval from there. 

  • Thanks, 

    Yes i had come to the same conclusion and approach and started to work down that path so thank you validating my thinking. 

    I am trying to reuse the script  provided which works great in a new user workflow. I am trying to use this in a scheduled task workflow.

    The plan is the workflow will run on a schedule. it searches a AD group that contains all the accounts i want to check the accountexpires on. If it find an account and the script returns true then set the VA on the workflow to TRUE

    When the workflow runs it displaying the error 

    Activity 'If-Else Branches' encountered an error.
     Details <<<
    At line: 16 char:5. Exception calling "Get" with "1" argument(s): "Object reference not set to an instance of an object."

    function Convert-Int8ToDateTime($Request)
    {
        $MaxDays = 21
    
        $EvalDate = (Get-Date).AddDays($MaxDays)
       
        $Int8 = $Request.get("accountExpires")
        $Return = "FALSE"
       
    
        if($Int8)
        {    
            if([DateTime]::FromFileTimeUTC($Int8) -ge $EvalDate)
            {
                $Return = $TRUE
                #throw "TRUE"
            }
        }
        
        return $Return
    }

  • Hi  

    You have two options

    1) Search for your users within the script you call, and them loop through each and perform the action you required, or

    2) If you are using the Search activity (FoundObject) step, and are putting an If/Else in, then you'd need to modify your code so that it executes against the foundobject, not $Request. Have a look at the SDK (Specifically "Retrieving data from a workflow context" and look at the FoundObject Method, IE: 

  • Thanks Stu. 

    I am going to go down the Powershell route

    I am just trying to knock something up that will pull the correct accounts. 

    I have two accounts in the security group. I have one account that expires in 14 days and one that expires in 21 days. I am trying to get it to only return the accounts at day 14 but its pulling in 14 and 21. 

    The thing is the date the account will expire is actually day 15 and not 14.

    Example 14 days ago from today is the 15th of July but the account will expire on 16th at 00:00

    Username AccountExpires
    -------- --------------
    USER1       22/07/2024 00:00:00
    USER2       16/07/2024 00:00:00

    I have played around with most of not all of the filters. 

    Any suggestions? 

    # Specify the group
    $securityGroup = "GROUPNAME"
    
    # Calculate the date less than 14 days from now
    $expiryThreshold14 = (Get-Date).AddDays(-14)
    # Get members of the security group
    $groupMembers = Get-QADGroupMember -Identity $securityGroup
    
    # Loop through each member and check account expiration
    foreach ($user in $groupMembers) {
        # Get user details
        $userDetails = Get-QADUser -Identity $user.SamAccountName -IncludeAllProperties
        
        # Check if the account expiration date is set and compare it
        if ($userDetails.AccountExpires -ne [System.DateTime]::MaxValue) {
            if ($userDetails.AccountExpires -gt $expiryThreshold14 ) {
                
                # Output the user's details
                [PSCustomObject]@{
                    Username           = $userDetails.SamAccountName
                    AccountExpires     = $userDetails.AccountExpires
                }
            }
        }
    }
    

  • I have implemented the WIKI item below so that i at least dont need to do the conversion. 

     Populating a custom Virtual Attribute with a readable accountExpires timestamp using an Active Roles Policy Script .

    However i still have the same issue. 

    Updated PowerShell code below. 

    # Connect Quest Active Roles
    Connect-QADService -Service "AR-SERVER-NAME" -Proxy
    
    $Groupname = "AD-GROUPNAME"
    
    # Calculate the date less than 14 days from now
    $expiryThreshold14 = (Get-Date).AddDays(-14)
    # Get members of the security group
    $groupMembers = Get-QADGroupMember -Identity $Groupname
    
    # Loop through each member and check account expiration
    foreach ($user in $groupMembers) {
        # Get user details
        $userDetails = Get-QADUser -Identity $user.SamAccountName -IncludedProperties edsvaAccountExpiresReadable
        
        # Check if the account expiration date is set and compare it
            if ($userDetails.edsvaAccountExpiresReadable -ge $expiryThreshold14 ) {
    
                # Output the user's details
                [PSCustomObject]@{
                    Username           = $userDetails.SamAccountName
                    AccountExpires     = $userDetails.edsvaAccountExpiresReadable
                }
            }
        }