Donna S.
11-07-2005, 10:00 PM
Hello.,
I have a question on how to complete this task.
Client has a Windows 2000 AD. 18,000 users over all.
17,000 users are under a xxx OU, no group policy attached to it.
1,000 users are found under the Users OU.
Client wants to delete unused accounts, by dumping all of the accounts with
last logon information and also specify which OU they are in.
Is there a tool we can use? And how?
--
Donna S.
Joe Richards [MVP]
11-07-2005, 10:10 PM
You might want to take a look at my oldcmp tool. It also does users. However, in
W2K it will use pwdLastSet for determining account age, it will not look for
last logon. The lastLogon attribute (and even lastLogonTimeStamp in K3) are not
the best for determining things like that because they aren't always updated.
Find oldcmp at
http://www.joeware.net/win/free/tools/oldcmp.htm
Donna S. wrote:
> Hello.,
>
> I have a question on how to complete this task.
>
> Client has a Windows 2000 AD. 18,000 users over all.
> 17,000 users are under a xxx OU, no group policy attached to it.
> 1,000 users are found under the Users OU.
>
> Client wants to delete unused accounts, by dumping all of the accounts with
> last logon information and also specify which OU they are in.
>
> Is there a tool we can use? And how?
Donna S.
11-07-2005, 10:40 PM
Hi Joe,
One thing that I didn't mention was that the 17,000 user accounts in this
one OU are set up via an application process off of the web. The users would
never need to update their passwords.
If I tried this tool....do I need to specify what OU i want it to look at?
--
Donna S.
"Joe Richards [MVP]" wrote:
> You might want to take a look at my oldcmp tool. It also does users. However, in
> W2K it will use pwdLastSet for determining account age, it will not look for
> last logon. The lastLogon attribute (and even lastLogonTimeStamp in K3) are not
> the best for determining things like that because they aren't always updated.
>
> Find oldcmp at
>
>
> http://www.joeware.net/win/free/tools/oldcmp.htm
>
>
> Donna S. wrote:
> > Hello.,
> >
> > I have a question on how to complete this task.
> >
> > Client has a Windows 2000 AD. 18,000 users over all.
> > 17,000 users are under a xxx OU, no group policy attached to it.
> > 1,000 users are found under the Users OU.
> >
> > Client wants to delete unused accounts, by dumping all of the accounts with
> > last logon information and also specify which OU they are in.
> >
> > Is there a tool we can use? And how?
>
Joe Richards [MVP]
11-08-2005, 02:56 PM
It can look at the whole domain or look at specific OUs or you can tell it to
exclude OUs with certain strings in the DN.
However, if you have the passwords set to never expire it won't help you.
Non-expiring passwords are dangerous. You really just never change a password.
Depending on the application and how it authenticates, you may find that
lastLogon is not being updated. For instance successful simple LDAP binds to not
update the lastLogon attribute.
Donna S. wrote:
> Hi Joe,
>
> One thing that I didn't mention was that the 17,000 user accounts in this
> one OU are set up via an application process off of the web. The users would
> never need to update their passwords.
>
> If I tried this tool....do I need to specify what OU i want it to look at?