Sunday, April 27, 2008

Setting account expiration in Windows XP

I ran into a problem yesterday with my Windows installation. Since this is a laptop that is not part of an Active Directory Domain, has the Administrator account disabled and only has one other local account with Local Admin privileges, I ran into a problem when Windows informed me that my account had expired.

The problem is that I had a whole bunch of EFS-encrypted files in
that account, without having backed up the EFS-certificate. The only
option that I thought would provide me with a quick fix was to reboot
from a Backtrack CD
to re-enable the Administrator account and blow out the password on the Administrator
account. Removing the account of the other user would not have worked,
but even worse, it would have made all my EFS-encrypted files

After having regained access to the Administrator account, I started messing around with clicking on all kinds of stuff, and even playing with some wmic-voodoo.

All to no avail.

As with most operating systems, Windows separates account expiration from password expiration. Resetting the password expiration was easy, but resetting the account expiration on a stand-alone Windows machine does not seem to be possible with out-of-the-box Windows tools. Even a tweet for attention did not yield the result I was looking for.

After doing quite some head-banging and even more research, I found a command-line tool called AccExp. AccExp can set or reset the account expiration of a local windows user, or a user in an Active Directory.

Lesson 1: If using EFS. backup your certificate. Instructions.
Lesson 2: Account expiration cannot be reset using and out-of-the-box Windows. Additional tools, such as AccExp are required.
Lesson 3: Windows will not expire an account while you are logged in; even going to standby/hibernate does not include an account expiration check. Windows will only check when you log on to an account.

PS: Yes, I know this Windows laptop is configured pretty much as far removed from best-practices as possible.

No comments:

Post a Comment

Please share your view and opinions on what I wrote. In order to maintain quality, all comments will be moderated for merit. Contributions that call me out on statements that appear unfounded, wrong, or simply with which you disagree are highly appreciated and are even encouraged. Spam and 'me too' answers will be ignored.