PDA

View Full Version : AD User - How to disable on 90 days of inactivity

Fred Yarbrough
We are running a Windows 2003 Active Directory domain in Native mode. Our
management is wanting to disable user accounts for people who have not
logged into their accounts in the past 90 days. How is the best way to go
about this (policy, script, 3rd party tool)?


Thanks,
Fred


Tomasz Onyszko
Fred Yarbrough wrote:
> We are running a Windows 2003 Active Directory domain in Native mode. Our
> management is wanting to disable user accounts for people who have not
> logged into their accounts in the past 90 days. How is the best way to go
> about this (policy, script, 3rd party tool)?
>
The only solution is external tool or script which will look at the
accounts on all domain controllers and check last logon date

here You hae an example of such script in Perl
http://www.rallenhome.com/books/adcookbook/src/06.28-not_logged_on_recently.pls.txt


Another thing came to my mind - You can implement a login script which
will put into a database (simple HTTP request with user logon name) a
date of users last logon - and another proces on daily basis will update
user accounts expiration date to be valid for next few months - but
the problem is that You will have to mark the users whos accounts should
not be updated and :)) ... this is just idea, a lot of things to
consider with such approach.

--
Tomasz Onyszko [MVP]
T.Onyszko@w2k.pl
http://www.w2k.pl
Steven L Umbach
Since you are using Windows 2003 you can use the AD command line tools dsquery and
dsmod. For instance you can look for users who have been inactive for the last seven
weeks with " dsquery user -inactive 7 ". Then you could pipe it to the dsmod command
to disable those users as in " dsquery user -inactive 7 | dsmod user -disabled yes ".
Of course those commands have a great deal of flexibility and you can find out more
in the link below. The last link is to a JSI tip on using these tools in a script
where you can specify a date. --- Steve

http://www.microsoft.com/windowsxp/home/using/productdoc/en/default.asp?url=/windowsxp/home/using/productdoc/en/DS_command_line_tools.asp
http://www.jsiinc.com/SUBQ/tip8200/rh8260.htm

"Fred Yarbrough" wrote in message
news:eDWC6sdmEHA.2504@TK2MSFTNGP14.phx.gbl...
> We are running a Windows 2003 Active Directory domain in Native mode. Our
> management is wanting to disable user accounts for people who have not
> logged into their accounts in the past 90 days. How is the best way to go
> about this (policy, script, 3rd party tool)?
>
>
> Thanks,
> Fred
>
>


Fred Yarbrough
Thanks Guys! These suggestions give me a trail to research.


Fred

"Fred Yarbrough" wrote in message
news:eDWC6sdmEHA.2504@TK2MSFTNGP14.phx.gbl...
> We are running a Windows 2003 Active Directory domain in Native mode. Our
> management is wanting to disable user accounts for people who have not
> logged into their accounts in the past 90 days. How is the best way to go
> about this (policy, script, 3rd party tool)?
>
>
> Thanks,
> Fred
>
>