I don't believe there is a Windows event created when an account just naturally expires. There are event IDs for events where Accounts are Disabled, but there does not appear to be a distinction as to whether this happens naturally or by user intervention. I suppose if an account is disabled by a system account, that might be an expiration.
If you want to explore those, the 2000/XP/2003 Security log id is 629
The 2008 security log id for this is 4725
The 624/4720 event does show if there is an account expiration set when the account expires. You could use this to see when accounts expire.
Better though to use the failed login message 532/4625 which is a failure due to user account expired.
Ah, I see what you are saying, Paul.
I was confused when you said 624/4720 because those are account creation events, but you were saying that they actually contain the data that says when they are set to expire.
I think Efraim is looking for an actual event that occurs at the time the account expires. I'm just not aware of one of those.
Yeah...there is no event when it expires...one would have to either look back and get when it was created and compare against current date...or look for activity of people trying to use an expired account.
The other way is to pull the data from AD into a CSV and run script against that data. I think I will put in an enhancement request with support for Envision to be able to pull AD information and be able to use the data reports/alerts because I think it is a good source of metadata that would be useful.