Hi,
I have a workflow that finds inactive user accounts, this has two filters to exclude accounts that have "NODEL" in the comment filed, OR the account password is set to never expire, but the password expiration filter does not seem to be working.
Workflow - Find Inactive Users:
Find: Inactive Accounts In: Users (domain.net/Users)
Search Options
Retrieve these account Types: Users
Retrieve accounts that meet any of these conditions:
Account has not logged on in the past 120 days
Account's password has not changed in the past 120 days
Account expired more than 30 days before the current date
Filter:
OR group (any of these conditions is true):
Description (description) does not contain "NODEL"
Password Never Expires (edsaPasswordNeverExpires) does not equal True
From the workflow history:
Filter: (&)|(!description=*NODEL*))(!(esdaPasswordNeverExpires=True)))(&(sAMAccount=805306368)(|(|(&(!(lastLogonTimeStamp=*))(whenCreated<=20180718033000.0Z))(lastLogonTimeStamp<=131763582005507498))(&(pwsLastSet>=1)(pwdLastSet<=131763582005507498))(&(accountExpires>=1)(accountExpires<=131841342005507498)))))
On an account that was deprovisioned, I have checked via Powershell that the account is set to never expire (True) and via ActiveRoles, the Password expires is set to Never.
Can anyone shed any light as to why it is deprovisioning accounts that have their passwords set to never expire please?
Regards,
John