Ad account expired vs disabled We are also using Azure AD Connect, which also has the box checked for password to never expire, though that shouldn't matter since the AD GP should override it. After the account is deleted in AD it still takes some time to sync this deletion towards AAD. Mar 17, 2025 · Learn about Active Directory account expiration dates, their benefits, and how to manage them efficiently. These flags can also be used to request or change the status of an account. We recommend using a scheduled PowerShell script that disables users' AD accounts, once they expire (use the Set-ADUser cmdlet). By default, passwords are set to never expire for your organization Jan 28, 2021 · The reason for this is, that AAD Connect picks up changes from the on-prem AD and the AccountExpires attribute is a static attribute, where you can configure a dateTime (as ticks), when the account should expire. Nov 19, 2020 · I am learning the concepts of active directory. Jul 1, 2025 · Check out all of our small business content on Small business help & learning. Test user's domain joined computer was restart using remote software. Machine account passwords as such do not expire in Active Directory. Sep 18, 2017 · Azure Automation Runbook Configure a OMS / Azure Automation Hybrid Worker on your domain controller or another server with an appropriate “run as account” The server needs to have the Active Directory PowerShell Module installed Import the runbook “Disable expired accounts in Active Directory. 30 am automatically. Follow this guide to navigate Meta's policies and protect your ads. Description The Search-ADAccount cmdlet retrieves one or more user, computer, or service accounts that meet the criteria specified by the parameters. A1: The machine account password change is initiated by the computer every 30 days by default. Our users are noticed a week before the account locks (AD), but they rarely mind changing Jul 10, 2025 · Identity Nugget – Bringing On-Prem AD Password Expiry and Force Reset to Entra ID Synced Accounts This is 2025 and going Passwordless or using long-lived (365 days) passwords is the recommendation. They Feb 21, 2025 · Expired accounts are temporarily locked, perhaps a contract has ceased but the user may need an extension, an expiration date can lock the account pending approval to extend. Sep 15, 2021 · Whenever you create any user in AD (group) default set the user never expire. How to fix repeatedly locked-out AD User? Thanks… Sep 7, 2023 · To get ad users to exclude disabled accounts from Active Directory, use the Get-AdUser cmdlet in PowerShell. . No, AD Account Expiration has nothing to do with passwords. I have checked proxy, checked credential manager windows, reconnected work or school account, and disconnected mapped drives for locked-out AD. Discover why Meta ad accounts get disabled and how to recover them. The account expiration allows you to specify account expires at the end of X date. For example, you can search for all accounts that have expired by specifying the AccountExpired parameter. Sep 24, 2020 · If you have an password expiration policy configured in your on-premises environment, it is not synced to Entra ID by default. once a week/month/year? (e. PowerShell command for disabled user with their expiry date. The date when the account expires. Oct 29, 2023 · Hello all. If this date is reached then the account is expired, but there is no change on the object itself. Accounts are enabled or disabled, and that's it. Get reports on Active Directory user account status, including account expired users, disabled users, and locked-out users, and export them in multiple formats. That is, the Active Directory Users and Computers MMC snap-in will display the account expiration date as one day earlier than the date contained in the accountExpires attribute. Upvoting indicates when questions and answers are useful. Why do Active Directory account lockouts happen? Find out common causes, troubleshooting tips, and best practices for preventing them. i. From the Attribute editor for that user, is there any attribute which tells me that this account is disabled. A user account that is expired and a user account that is disabled and a password that is expired are three very different things. This allows them to still have access to data/email/teams/etc when they are no longer contracting. Open the user properties and go to the Attribute Editor tab. Aug 16, 2023 · Regularly check for and remove inactive user accounts in the Active Directory - Microsoft Engage Center (Services Hub) Learn about regularly checking for and removing inactive user accounts in the Active Directory. Disabling an AD account does not do anything to the Exchange Mailbox. Any template can be set to expire within a fixed time interval. For example, a secret template for Active Directory accounts might require a change on the password text field every 90 days. Honestly, I don’t understand the thinking of never removing anything from AD. Recently I learned the difference in Account lockout, expiry and disable. This script is a simple solution for disabling accounts that are expired in the Active Directory. B. You can identify a user or group by its distinguished name, GUID, security identifier (SID), or Security Accounts Manager (SAM What should you do with expired and revoked certificates appearing in your Active Directory Certificate Authority (AD CA)? Determine if anything was using them and was impacted? Oct 29, 2015 · Organizations often have user accounts that are configured to expire. Jan 24, 2020 · It seems like you want to determine the account expiration status of a subset of users. Dec 27, 2024 · When DisablePasswordExpiration is applied to a user in Microsoft Entra ID, the UserAccountControl value for the synchronized user in the managed domain has DONT_EXPIRE_PASSWORD applied. From this guide, you will learn how to enable, disable and set an expiration period for a user account in Active Directory domain. Test user can still login to their computer with… The userAccountControl attribute contains a set of flags that define the status of a user account in Active Directory. To specify an exact time, use the DateTime parameter. A disabled account is more permanent, this is used when an employee leaves, is off long-term or is terminated. By automating the tasks of disabling accounts, moving them to a dedicated OU, and sending email notifications, you can enhance user account management and improve the security of your organization’s IT environment. The Identity parameter specifies the user or computer account to modify. Feb 4, 2025 · Our organization has an on-premises Active Directory (AD) integrated with Azure AD Connect and Single Sign-On (SSO) configured, including the password write-back option. Aug 21, 2020 · The Active Directory Users and Computers MMC snap-in displays the date that the account will expire at the end of. Nov 20, 2014 · You'll need to complete a few actions and gain 15 reputation points before being able to upvote. The problem with the way this works, is that technically the account is still "enabled" - as it's not actually "disabled" - it's simply expired. Apr 17, 2024 · Hybrid environment: On-prem AD either push or pulls so that it corresponds with users. Administrators typically set passwords and accounts to expire after a given period to safeguard information. We usually disable accounts when staff leave, then delete after a period of t… Hi, I'm trying to create a script which will disable the expired accounts inside an OU. To set the account expiration date, set the IADsUser. Account expiration is a set point in time, after which the account expires - same effect as disabling an account. Any suggestions? We Sync AD and HR data via a powershell script but The Disable-ADAccount PowerShell cmdlet is used to disable user, computer, and service accounts in an Active Directory domain. You could try account expiration vs disabling. This issue, which is external to ALM, traces back to a purely abstract linguistics problem that has confounded the software industry from its earliest days. The "not reusing usernames" thing sounds like cargo cult system administration to me. You can identify an account by its distinguished name, GUID, security identifier (SID), or Oct 17, 2019 · AD - Account Lockout vs Disabled Disabling an account in AD isn't instant, but a lockout is. Improve security with our guide. The code below should help get you closer to your goal. Jan 25, 2023 · As a result, an expired Active Directory account in an environment configured for password hash synchronization will still be active in Azure AD. What's reputation and how do I get it? Instead, you can save this post to reference later. This is common for consultants, summer workers, holiday workers, and others. They are effectively the same. To search for all accounts that expire before December 31, 2012, set the -DateTime parameter to "12/31/2012". I have a question. If that is true, what are my options for handling AD Account locks and unlocks? The Clear-ADAccountExpiration cmdlet clears the expiration date for an Active Directory user or computer account. A user account never expires without administrative action, whether the user is regularly logging on to the domain or not. While we can sync and block access if the account is disabled, but when it comes to contractors you are not always told when a contract has ended and there account stay enabled. Isn't locking/disabling account the same? If your account expired, why not remove it from the DB and be satisfied with a "User not found" exception? How can credentials expire? Does it mean temporary passwords? An old password? The Set-ADAccountExpiration cmdlet sets the expiration time for a user, computer, or service account. Sep 18, 2017 · Disable expired accounts in Active Directory. The Identity parameter specifies the Active Directory account to modify. SMARTCARD_REQUIRED - When this flag is set, it forces the user to log on by using a smart card. Provisioning from AD is via Microsoft Entra Connect sync with Password Hash Sync enabled-also using WHfB Key trust (latest possible config). Feb 22, 2024 · The Net User command in the Windows CMD manages local and remote user accounts efficiently. Is this possible to explicitly configure in AAD Connect to sync disable/delete activities in realtime? Feb 17, 2025 · In this article, I’ll show you how to disable the password never expires flag for multiple Active Directory users. This creates a scenario where a user can continue working and accessing company resources when authenticating against Entra ID, even though their password has expired in the on-premises AD. Administrators do this so user access is automatically disabled after a specified date. Dec 12, 2013 · Notice that in Active Directory Users and Computers (ADUC) when setting the expiration of a user account, there's only a way to have the account expire at the … Jul 1, 2021 · Users are one of the most popular objects in AD. In fact, an account with an account expiration in the past is not "disabled" (UAC "disabled" bit set). Account Expiration In Active Directory Users and Computers you can specify the date when a user account expires on the "Account" tab of the user properties dialog. This means the user cannot log in or access any resources until the account is re-enabled. Do you prefer to set reminders to disable accounts or set expiration dates? or both? For accounts with expiration dates, do you still disable accounts? if so, when? the day the account expires. an account which was disabled More so, most of these seem the same, or redundant. Thank you in advance for your help Sep 27, 2022 · I have a GPO set up to have passwords never expire on the DC (Server 2019). Apr 13, 2021 · The example is an external consultant that in a project has a limited time on the AD Account, and in a onprem environment, an expired account = a blocked account. And then both account will remain until you delete the user in AD, at the next sync that account will be removed in azure. May 12, 2015 · But I'd like to know if a disabled account is the same than an expired account in terms of accesibility to the domain. That’s my understanding, can someone confirm? What I’m trying to confirm is that disabled users in AD, the azure account is not deleted Disable accounts within [Assignment: organization-defined time period] when the accounts: Have expired; Are no longer associated with a user or individual; Are in violation of organizational policy; or Have been inactive for [Assignment: organization-defined time period]. ” from the Azure runbook gallery. We've set a password expiration policy of 90 days at the organizational level in… Jun 8, 2016 · Hello guys so I am working on trying to understand how to push out a group policy to turn off password never expires to all domain users. Authentication fails, even after the password is reset. Learn the key difference between disabled, expired, and locked out use accounts in Windows Active Directory Feb 21, 2025 · A disabled account is more permanent, this is used when an employee leaves, is off long-term or is terminated. Each category serves a distinct purpose in user Learn the best practices for disabling Active Directory (AD) users, including regularly reviewing and cleaning up disabled accounts and knowing when to disable or delete. Account expiry just isn't a concept that exists in Azure AD, or almost any other cloud IdP. Apr 9, 2025 · As a result, an expired Active Directory account in an environment configured for password hash synchronization will still be active in Microsoft Entra ID. The Identity parameter specifies the Active Directory user, computer service account, or other service account that you want to disable. Jul 15, 2020 · Hi, Thank you for posting in our TechNet forum. g. Mar 19, 2025 · The difference between a Disabled user, Deleted Exchange mailbox, and Deleted user If you disable a user, the Active Directory object remains untouched together with the mailbox data and properties (including forwarding settings and full access), but you will not be able to access any mailbox data directly, using that user credentials. Nov 25, 2024 · Managing Disabled Active Directory Accounts with Third-Party Tools While the Active Directory Users and Computers (ADUC) console and PowerShell provide native methods for disabling AD user accounts, third-party tools can offer a more streamlined and feature-rich experience. This attribute determines the status of the account in the AD domain: whether the account is active or locked, whether the option of password change at the next logon is enabled, whether users can change their passwords, etc. As above, if you disable a user in Active Directory, once it syncs , it will disable the user in azure, is that correct. Acount is locked out means that the account got locked by AD for exceeding the allowed number of failed logon attempts. Test user Microsoft Azure AD account has been disabled and sessions revoked through Microsoft Azure. I've yet to see a sync tool that by default translates an expired AD account to a disabled cloud account (GCDS users take note). Jul 3, 2014 · If the user tries to logon they’ll get a message saying that the account has expired. If you have done an audit of your AD user accounts, you may have several accounts like the screenshot below. e. Nov 4, 2020 · Let me know if there's a solution within Password Hash Sync method only to set the user status as Disabled if user account expired in on-prem AD. Our guide provides an in-depth explanation of why and how to implement expiration dates for user accounts in AD. MNS_LOGON_ACCOUNT - This is an MNS logon account. What're people currently doing with regard to old AD accounts? Disable and leave in AD or eventually delete? The background to the question: I'm in a… In the past there was a Microsoft tech article recommending that accounts with expired passwords be disabled. The act of disabling an account invalidates the tokens preventing access once the password is expired. Accounts configured to never expire may have either value, depending on whether they were originally configured with an expiration value, with 0x7FFFFFFFFFFFFFFF Nov 20, 2014 · You'll need to complete a few actions and gain 15 reputation points before being able to upvote. Oct 10, 2025 · Learn to regularly check for and remove inactive user accounts in the Active Directory because they are a security risk and consume reclaimable database space. When you change the account expiration date, it has no effect on the user's password. In the other words, if I had to avoid the access to the domain resources for a user account, disabling and expiring have the same effect? Thank you. The script was developed to block sign in for accounts synchonized to Azure Active Directory (Microsoft Office 365) that use Password Hash Synchronization. Track user account expiry dates in Active Directory to prevent login disruptions, review upcoming expirations, and extend expiration dates for seamless access management. In our org we have the process of expiring accounts and then for any accounts that have been expired for 2 weeks we disable them. Thanks for your suggestion. In diesem Artikel gehen wir auf die einzelnen Zustände von Benutzeraccounts im… The Search-ADAccount cmdlet has switches -AccountDisabled, -AccountExpired and -AccountInactive; the results of which may not be mutually exclusive nor inclusive. Then I was wondering if we change the maximum password age then does that reset everyone’s day count to 0 after change? Any help is much appreciated. We recommend that if the account is expired, a workflow action should trigger a PowerShell script that disables the user’s Azure AD account (use the Set-AzureADUser cmdlet). For a secret to expire, a text field must be selected as the target of the expiration. Nov 25, 2022 · I want to disable an AD user at a specific time like 11. Feb 16, 2021 · Is there a user attribute anywhere in AD which captures the date and time an account was disabled? Or any other way of verifying such information. Dec 22, 2023 · Hi Expert team How we can sync Expired date on Entra ID and release o365 licence ? We have many accounts expired but still using a licence. X days after the account expires. brycekatz (Bryce Katz) October 12, 2016, 10:21pm 17 Description The Disable-ADAccount cmdlet disables an Active Directory user, computer, or service account. Then exclude the bucket in your script. For the purposes of a standalone Entra ID configuration, the default is indeed that passwords will not expire if he tenant was created after 2021. I've generated a script to do this. Seamless single Sign-on is enabled, note that Federation and PTA are DISABLED. What're people currently doing with regard to old AD accounts? Disable and leave in AD or eventually delete? The background to the question: I'm in a… Account Expiration In Active Directory Users and Computers you can specify the date when a user account expires on the "Account" tab of the user properties dialog. Account is expired means that the date in the Account Expires property is already in the past. You can pull the users that has set the expiration date manually. Consider implementing this feature if you want the password expiration to be I generated an output of all users defined on the AD on 6/12, and noticed that several users had accounts set to expire on 6/10. Keep accounts up to date with ease. Sep 19, 2023 · I have a customer account on AAD that is in a "disabled" state, and I can't figure out how to reenable, or how to find someone with permission to do it. This value represents the number of 100-nanosecond intervals since January 1, 1601 (UTC). Apr 8, 2025 · What happens when an Active Directory account expires? When an Active Directory account expires, the account becomes disabled, restricting user access and preventing login. Jul 30, 2018 · Overview of ways to lock, unlock, enable and disable AD accounts with PowerShell, plus general considerations for security and daily operations. Jan 5, 2012 · I am basically wondering what the switch to set the "Account Expires End of:" option in AD Users and Computers does? Does it just expire the password or does it disable the account? Oct 10, 2025 · Learn to regularly check for and remove inactive user accounts in the Active Directory because they are a security risk and consume reclaimable database space. The AccountExpires value changes to 0 for never expire. I can disable user manually with the below command Disable-ADAccount -Identity username and also set the the expiry dat The Active Directory attribute userAccountControl contains a range of flags which define some important basic properties of a user object. Jan 21, 2013 · SERVER_TRUST_ACCOUNT - This is a computer account for a domain controller that is a member of this domain. Find the userAccountControl attribute. Disabled accounts cannot be used to log on to the domain, even if the user knows the account’s password and it is has not expired. Sep 18, 2009 · Shouldnt the "Account Expires" option automatically disable the account after the date we provide? I have set an account to expire on a certain date but I found that the account is still active or "enabled" after that period and I had to disable it manually! Oct 12, 2016 · I’d rather have a tidy AD with few dormant disabled accounts than keeping them all for what-if scenarios that don’t happen. Oct 4, 2021 · What would really be nice is if we could sync from On-Premises Active Directory to Azure AD the account expiration date. Stale user accounts can be considered a security risk, and having to wad through hundreds of unused accounts to find the one you need to work with would be a nightmare. User permissions in an AD aren't internally assigned to a username but to the user object's Security IDentifier (SID), which for all intents and purposes is unique. Mar 10, 2022 · Dear experts, when user try to change his domain account password, it shows "the user accounts has expired". To specify a time period from the current time, use the TimeSpan parameter. Plus, get a free trial of Auditor to try it for yourself. zwischen aktivierten, gesperrten oder deaktivierten Accounts. Feb 21, 2025 · As I understand it, disabling and expiring an AD user account has the same end result, but presents a slightly different message to the user. The Get-AdUser command has an Enabled property that indicates whether the user is enabled or disabled. Man unterscheidet z. When you clear the expiration date for an account, the account does not expire. Search criteria include account and password status. Apr 1, 2017 · These values consist of the previously mentioned enabled normal account and disabled normal account, but with the PASSWD_NOTREQD value of 32 added. disable all expired accounts once a month)? Apr 26, 2024 · Account is disabled means that the corresponding flag is set in the Account Options property of the user. Aug 23, 2024 · Learn how to manage Active Directory account expiration dates effectively to enhance security and streamline user management. when I check the account property, it shows never expire. Obviously with email access this isnt ideal as for 2 weeks users can still access their emails if configured in outlook etc. Then you want to disable the users who have already expired. These accounts are sync'ed up to Azure using AAD. AccountExpires value is always a FileTime value of 132789024000000000 UNLESS you modify a user to expire at which point. This date is stored in the accountExpires attribute of the user object. It doesn't seem to have synced up correctly with Azure AD. ( Please don't suggest on switching to ADFS or PassThrough Authentication I'm aware of there capabilities) Sep 7, 2016 · Dealing With The AccountExpires Date in Active Directory – With PowerShell by Darren Mar-Elia | Sep 7, 2016 | AD, General Stuff, PowerShell | 9 comments By now most of us are aware that Active Directory dates are not the easiest bits of data to deal with. As the admin, you can make user passwords expire after a certain number of days, or set passwords to never expire. The command Net User allow you to create, delete, enable, or disable users on the system and set passwords for the net user Learn how to detect and resolve Microsoft Entra user accounts that are inactive or obsolete using the Microsoft Entra admin center and Microsoft Graph. DONT_EXPIRE_PASSWD - Represents the password, which should never expire on the account. Secret Expiration Secret expiration is a core Secret Server feature. But, now is still locked-out. Disabled accounts are easily identified within Active Directory Users & Computers Feb 22, 2024 · When it comes to managing user objects in Active Directory, it’s essential to distinguish between “expired” and “disabled” user objects. Gaining access Aug 28, 2023 · Learn how to set an account expiration date in Active Directory for better user management. However in the output the account status for these users still showed as 'Enabled. Aug 14, 2024 · What is the Difference Between Disabled and Expired AD Account? A disabled AD account is manually turned off by an administrator, making it immediately inactive. May 14, 2018 · All of our Email Resource Accounts have their AD accounts disabled and still receive email. How to fix repeatedly locked-out AD User? Thanks… Jan 21, 2013 · SERVER_TRUST_ACCOUNT - This is a computer account for a domain controller that is a member of this domain. Sep 25, 2023 · This is a huge security issue. The userAccountControl value can be viewed in the Active Directory Users and Computers (ADUC) graphical snap-in. Dec 3, 2013 · 4 Account expiration and password expiration is not the same thing. We do have an internal process of emergency ad account deletion. Feb 17, 2020 · In addition to disabled and inactive accounts, cleanup administrators should look for Active Directory user accounts and passwords that have expired. Jul 1, 2021 · From this guide you will learn how to enable, disable and set expiration period for a user account in Active Directory domain. Oct 6, 2022 · I am currently dealing with an issue where one of my user's accounts expired on our prem solution (which should be synced with AD through AD Connect), but they can still access their email, teams, and all that good stuff. Aug 21, 2019 · Good Morning folks I have a rather interesting problem today, 1 user is experiencing a problem where their account keeps expiring, properties → account → expiry date at the bottom, the account keeps being set to 9 August 2019 but when we try to set it to never or another date it just reverts within 30 seconds to a minute. Expired accounts happen automatically, disabled accounts are manual (excluding scripts). It enables the creation, deletion, activation, and deactivation of accounts, along with password management and user-specific configurations like home directories and login times. I wrote a script that runs daily and if a password is 5-days past expiration we disable the account. I haven't tracked exactly how long it is, but our passwords still expire. AccountExpirationDate property to the desired date value. May 10, 2013 · If they are just disabled, then you can enable the account later and you don’t have to recreate group memberships etc I disable all accounts for 30 days after a person has gone. Learn how to check if AD user account is disabled with PowerShell compared to Netwrix Auditor. In the past there was a Microsoft tech article recommending that accounts with expired passwords be disabled. Should AD user accounts of shared mailboxes be disabled in a hybrid environment? Working with a client that has shared mailboxes in O365, but the corresponding AD user accounts on-premise are enabled. This article is for people who set password expiration policy for a business, school, or nonprofit Microsoft 365 organization. It May 23, 2023 · In this guide, I share my Active Directory Cleanup Best Practices. This is the same process I used for years working in medium and large Active Directory environments to keep AD nice and clean. A value of 0 or 0x7FFFFFFFFFFFFFFF (9223372036854775807) indicates that the account never expires. But how can I then remove… Oct 5, 2021 · Active Directory has the ability to set an expiration date on accounts so that the account becomes inactive and can't be accessed/logged into once this date has passed. ' May 21, 2020 · Hi All one of my users active directory account is disabled. Can someone help with this issue or throw some suggestions my way AD Account Expiration Dates When working with account expiration dates in Active Directory, you may notice that Active Directory accounts do not always expire when it seems they should. In other words I would say you take bigger risks keeping outdated and disabled user accounts than keeping your various namespaces clear for when Aug 13, 2023 · UserAccountControl is one of the most important attributes of user and computer accounts in Active Directory. I routinely add customers, and this is the first time one has ended up in a disabled state that I can't fix. Häufig stellt sich dabei die Frage, was eigentlich der Unterschied zwischen einem gesperrten und einem deaktivierten AD-Benutzerkonto ist. In the case of Active Directory, the problem shows up Nov 17, 2021 · Für Active Directory Benutzer Objekte gibt es verschiedene Zustände. Find all users, computers and service accounts that are disabled: How does account lockout work with Azure AD Connect and synchronizing your on-prem AD to Azure AD? If my AD account gets locked, can I still sign into Azure AD with the same creds? I'm guessing the answer is "it depends on how you have Azure AD Connect configured". Sometimes the replacement needs stuff from the account , I enabled the account, reset the password, and renamed the account, that way it was go to go again. Q1: What will happen to computer objects if it is no longer connected to the network for a very long time? Computer accounts need to reset it's password to the domain controller. Accounts with the “Password never expires” option enabled is a security nightmare. Feb 22, 2024 · This PowerShell script simplifies the process of finding and managing disabled user accounts in Active Directory. That date won’t tick the “account disabled” box because the account is not disabled but expired. Mar 17, 2025 · One important feature that can significantly enhance security and compliance is setting account expiration dates for Active Directory accounts. We usually disable accounts when staff leave, then delete after a period of t… Jan 17, 2025 · Solution: Run a script to either set the expired account to disabled, or move expired accounts to a separate OU Firstly, since we know that Microsoft 365 recognizes accounts that are Disabled, to address the problem we can run a PowerShell script that automatically sets the expired account to disabled in Active Directory. 544 = 512 (NORMAL_ACCOUNT) + 32 (PASSWD_NOTREQD) Oct 21, 2025 · Do you want to know what an active directory account lockout is? In this guide we have prepared all the important elements for you. Apr 5, 2021 · One thing you could do is to create a new bucket and move all the disabled accounts into that bucket. Jan 15, 2025 · Describes information about using the UserAccountControl attribute to manipulate user account properties. Or you could do a powershell scheduled task. My question is all these types are doing the same thing but the purpose is Aug 20, 2024 · Learn everything you need to know about AD account expiration and explore some simple scripts and tools to automate account management. There is a need to stay on top of these accounts so that expired accounts can be purged, and soon-to-expire accounts can be tracked and managed.