I've been running this AD driver for several years. I set the
accountExpires attribute in the AD driver to a calculated date about
one year after the student graduates.
When I look at the Account tab of the user object in AD, the Account
Expires field shows the correct date, but the radio button is still
set to Never.
I had not noticed this before, but now they're telling me the users
can still log in to AD even after the account expiration date.
I thought all I had to do was set the accountExpires attribute to the
correct date and that would take care of it.
As I recall, when I first did this driver AD would kick back a Login
Disabled when it got the accountExpires attribute, even though it was
set to a future time. To avoid this, I set the Login Disabled
attribute to Reset in the Publisher channel. (All disables should come
from the vault anyway.)
I can't find anything telling me there's something else to set.
Any ideas what I'm doing wrong?