This is probably very simple but I have been searching for a while and cannot seem to find the answer I need.
I am basically wondering what the switch to set the "Account Expires End of:" option in AD Users and Computers does? Does it just expire the password or does it disable the account?
Also is this likely to conflict with a "Password Never Expires" setting?
Best Answer
It means the account cannot logon starting the day after the expiry date. The password is unaffected. The password will be the same after the account is unlocked.
As soon as an administrator removes or extends the expiry date, the account can be used again. It does not get flagged as locked or so.
"Password never expires" has no influence on this mechanic, and vice versa.
Most account status info is in the attribute userAccountControl, which is actually a bitfield, as described here: http://support.microsoft.com/kb/305144/en-us
But "Account Expires" has its own field, and is calculated separately.