Hi list, I realize I'm trying to use the ppolicy overlay a little differently from how it was designed to be used. The problem is that the ppolicy overlay is the closest thing I have found. My use case: 1) I want to be able to disable users. I can do this by setting: pwdAccountLockedTime: 000001010000Z That works. Great! 2) I want to be able to set a date in the future when a user account will expire / deactivate. I was hoping to be able to set "pwdAccountLockedTime" to a date in the future and after that date the user account would be locked. Unfortunately this isn't the case. ppolicy seems to lock out every account that has the "pwdAccountLockedTime" attribute set to a valid value. Reading the source code for ppolicy I find an interesting block in the function "account_locked()" at line 356: /* Still in the future? not yet in effect */ if (now < then) return 0; This leads me to believe that the author's intension may have been to allow what I want to do. Perhaps is there another attribute I need to set in order to tweek ppolicy to do wat I want. Here's how the default policy looks like: dn: cn=passwordDefault,ou=Policies,ou=local objectClass: pwdPolicy objectClass: person objectClass: top cn: passwordDefault sn: passwordDefault pwdAttribute: userPassword pwdCheckQuality: 0 pwdMinAge: 0 pwdMaxAge: 0 pwdMinLength: 0 pwdInHistory: 0 pwdMaxFailure: 0 pwdFailureCountInterval: 0 pwdLockout: TRUE pwdLockoutDuration: 0 pwdAllowUserChange: FALSE pwdExpireWarning: 0 pwdGraceAuthNLimit: 0 pwdMustChange: FALSE pwdSafeModify: FALSE All help greatly appreciated! TIA, Mikael