Test Scenario - Extending accountExpires attribute of a domain user

Overview

User accountExpires Attribute feature allows the systems administrators secure their Active Directory environment by expiring dormant user accounts.  User Account obsolescence criterion is based upon interactive logon activity. 

When this feature is enabled the user accounts in scope will have their accountExpires attribute extended by specified number of days (default is by 30 days). This default value can be changed using the "Extend User Account Validity Period" setting. You can also set a date limit until which the user account validity can be extended.

 

Prerequisites

  • Supported Microsoft Windows Operating System
    • Microsoft Windows XP SP3 or 
    • Microsoft Windows 7.0 SP1 or 
    • Microsoft Windows 8.0 or 8.1
  • .NET Framework 
    • .NET Framework 4.0 for SYNERGIX AD Client Extensions 2014
  • Domain Membership in Microsoft Active Directory domain
  • Microsoft Outlook or other EMail client for Microsoft(R) Windows(TM)
  • SYNERGIX AD Client Extensions 2013

 

Active Directory Domain Environment

  • Single Active Directory Domain environment i.e. Single Forest with Forest Root Domain only example. F10.LOCAL
    • You can setup a more complex Active Directory Domain environment, if needed.  For example, one forest F10.LOCAL with child domains D10.F10.LOCAL, D11.F10.LOCAL and D12.F10.LOCAL and a trusted forest F20.LOCAL with child domains D20.F20.LOCAL, D21.F20.LOCAL and D22.F20.LOCAL
  • Security Group(s)
    • Create a security group called "SYNERGIX ADCE Managed Computers".  The group type may be Domain Global Group or Domain Local Group.
    • Add the test domain computer(s) into the security group "SYNERGIX ADCE Managed Computers"
    • SYNERGIX ADCE Managed User Attributes - Apply accountExpires (users should be the members of this Security Group ).

Delegate Control

You must ensure that you have granted "SYNERGIX ADCE Managed Computers" the 'Read accountExpires' and 'Write accountExpires' permissions on all the user objects that fall within the scope of the security group (SYNERGIX ADCE Managed User Attributes - Apply accountExpires ).

  • Configure domain Group Policy Object
    • Copy SYNERGIX AD Client Extensions Administrative Template file SYNERGIX-ADCE.ADMX to %SystemRoot%\PolicyDefinitions on admin workstation ( must be Windows 7.0 ) 
    • Copy SYNERGIX AD Client Extensions Administrative Template Language file SYNERGIX-ADCE.ADML to %SystemRoot%\PolicyDefinitions\en-US on same admin workstation ( must be Windows 7.0 ) 
    • Using GPMC.MSC, edit existing or new Group Policy Object.  user_AccountExpries_attribute.jpg
  • Launch GPMC.MSC
  • Select the Group Policy Object. Right mouse click on it and edit the GPO.
  • Expand Computer Configuration
  • Expand Policies
  • Expand Administrative Templates
  • Expand Synergix AD Client Extensions
  • Expand Account Attributes
  • Select User Account Attributes
  • Select User accountExpires attribute. Enable the feature
  • You may define the scope of this policy by ...
    1. Specifying a domain security group and
    2. By targeting user accounts that never expire and/o
    3. By targeting user accounts that expire.
  • Select the Month and Year for the User Account to be extended

 

Procedure

  • Log into a domain computer with the domain account ( your admin account ) that has local administrative privileges on the workstation.
  • Ensure the SYNERGIX AD Client Extensions specific Group Policy settings were applied
    • Launch RSOP.MSC or run GPRESULT.EXE /v to confirm
  • Install SYNERGIX AD Client Extensions software
  • After the software is successfully installed, double click on the orange icon in the system tray.  
  • Select My account and view the Account Status.  It will show the current accountExpires attribute value.

 

Test Results

  • Pass or
  • Fail

 

Test Result Submission

  1. Complete the Test Environment worksheet
  2. Upload test results document file to software test repository
  3. Upload log files
    1. ServiceLogfile.txt
    2. ClientLogfile.txt
    3. Output of GPRESULTS.EXE /V command
Note: You must use ADCE \ Help \ Submit Log Files button to zip up above 3 files and submit
 
 

References

N/A

 

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.
Powered by Zendesk