Announcement

Collapse
No announcement yet.

VB Script for disabling AD accounts not used in x days.

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • VB Script for disabling AD accounts not used in x days.

    Hi All,
    I have no idea about scripts what so ever. I have been tasked with finding a script that will disable user accounts in AD that havent been used in x days. Can anyone help?

  • #2
    Re: VB Script for disabling AD accounts not used in x days.

    One or two clues here:
    http://www.google.co.uk/search?hl=en...accounts&meta=

    Good old
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: VB Script for disabling AD accounts not used in x days.

      If you have like you say no idea about vbscripts, it would be easyer and probably saver to use a command line tool:

      For pruning/moving/disabling Old Accounts in AD you can use the powerfull tool OldCmp.exe (free for download). OldCmp can also be used to clean up user accounts when the proper filter is specified.
      (http://www.joeware.net/freetools/tools/oldcmp/index.htm browse to "See current usage screens" for examples)


      Or use Microsoft's dsQuery.exe and dsMod.exe,
      sample disabling users inactive for 10 weeks or longer,
      dsquery user -inactive 10 -limit 0 | dsmod user -disabled Yes

      Example how to exclude specific users from being disabled using finstr /v ,
      i.e. exclude usernames starting with admin... also exclude when OU with the name 'service accounts' or 'Sysops' is in the object's DN
      dsquery user -inactive 10 -limit 0 | findstr /vic:"cn=Admin" /vic:",OU=service accounts," /vic:",OU=Sysops," | dsmod user -disabled Yes

      \Rems

      This posting is provided "AS IS" with no warranties, and confers no rights.

      __________________

      ** Remember to give credit where credit's due **
      and leave Reputation Points for meaningful posts

      Comment


      • #4
        Re: VB Script for disabling AD accounts not used in x days.

        Hi Rems youve hit the spot with the command line i would be much happier using that. I had a play with your second command line tool but generate the following error.

        Microsoft Windows [Version 5.2.3790]
        (C) Copyright 1985-2003 Microsoft Corp.
        C:\Documents and Settings\martin.greenhill>dsquery user -inactive 10 -limit 0 |
        dsmod user -disabled no
        dsquery failed:The parameter is incorrect.:Windows could not run this query beca
        use you are connected to a domain that does not support this query.
        type dsquery /? for help.dsmod failed:`Target object for this command' is missin
        g.
        type dsmod /? for help.
        C:\Documents and Settings\martin.greenhill>

        Any ideas?



        Originally posted by Rems View Post
        If you have like you say no idea about vbscripts, it would be easyer and probably saver to use a command line tool:

        For pruning/moving/disabling Old Accounts in AD you can use the powerfull tool OldCmp.exe (free for download). OldCmp can also be used to clean up user accounts when the proper filter is specified.
        browse to "See current usage screens" for examples)


        Or use Microsoft's dsQuery.exe and dsMod.exe,
        sample disabling users inactive for 10 weeks or longer,
        dsquery user -inactive 10 -limit 0 | dsmod user -disabled Yes

        Example how to exclude specific users from being disabled using finstr /v ,
        i.e. exclude usernames starting with admin... also exclude when OU with the name 'service accounts' or 'Sysops' is in the object's DN
        dsquery user -inactive 10 -limit 0 | findstr /vic:"cn=Admin" /vic:",OU=service accounts," /vic:",OU=Sysops," | dsmod user -disabled Yes

        \Rems

        Comment


        • #5
          Re: VB Script for disabling AD accounts not used in x days.

          Is possible to raise the DOMAIN Functional Level?
          If your domain is at Windows Server 2003 functional level or more recent, there is a new attribute called lastLogonTimeStamp.

          The -inactive switch of dsquery is querying the lastLogonTimeStamp attribute of the object.

          lastLogonTimeStamp represents the time when the user last logged onto the domain, like the lastLogon attribute does. Unlike lastLogon, this new attribute is replicated.

          If your domain is not at Windows Server 2003 functional level, you cannot run a single command line command to find inactive users you must use a script (vbs example: http://www.rlmueller.net/Last%20Logon.htm). Every Domain Controller in the domain must be queried to find the latest lastLogon date for each user, because the lastLogon attribute is not replicated. The lastest date found is kept by the script in a dictionary object.


          \Rems

          This posting is provided "AS IS" with no warranties, and confers no rights.

          __________________

          ** Remember to give credit where credit's due **
          and leave Reputation Points for meaningful posts

          Comment


          • #6
            Re: VB Script for disabling AD accounts not used in x days.

            Cheers again Rems. All DC's in the domain are at 2003.

            Comment

            Working...
            X