Announcement

Collapse
No announcement yet.

Logon Disable Policy

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Logon Disable Policy

    Hi,

    is there any group policy in windows 2003 to disable user account if user not logged in more then 90 days.

    or is there a way to acheive the same.

    Regards
    Muneer

  • #2
    Re: Logon Disable Policy

    First you need to get the list of users who have not logged in for more then 90 days. then you can run a script to disable them.

    Hyena can do that for you.

    Regards,
    Kapil Sharma
    ~~~~~~~~~~~~~
    Life is too short, Enjoy It.

    Comment


    • #3
      Re: Logon Disable Policy

      Hi,


      I know that using custom query or common query we can get the logon info, but I want to automate the same,

      is this possible using gpmc (talking about existing polcies for win2k3 if exist)

      Regards
      Muneer

      Comment


      • #4
        Re: Logon Disable Policy

        Check this :

        http://joeware.net/freetools/index.htm

        Comment


        • #5
          Re: Logon Disable Policy

          Hi,

          How to invoke this tool with group policy....


          if users not logged in his user ID should get disable automatically...

          is this possible in group policy or NOT

          Regards
          Muneer

          Comment


          • #6
            Re: Logon Disable Policy

            Here you go... this is set to run on an entire Domain and will disable any account that has not logged on in over 90 days. Please note, you need to set the ADVersion depending on your AD Level (2003 or 2000)


            ' DisableOldAccounts.vbs
            Option Explicit
            On error Resume Next

            Const ADS_SCOPE_SUBTREE = 2

            Dim objRootDSE
            Dim objConnection, objCommand, objRecordSet
            Dim UserDN, objUser, strDNSDomain, strQuery
            Dim objLogon, strWeeks, strDays, intLogonTime
            Dim intLLTS, intReqCompare, ADVersion

            'ADVersion = "2003"
            ADVersion = "2000"

            ' Determine DNS domain name from RootDSE object.
            Set objRootDSE = GetObject("LDAP://RootDSE")
            strDNSDomain = objRootDSE.Get("defaultNamingContext")

            ' Use ADO to search Active Directory for all Users.
            Set objConnection = CreateObject("ADODB.Connection")
            Set objCommand = CreateObject("ADODB.Command")
            objConnection.Provider = "ADsDSOObject"
            objConnection.Open "Active Directory Provider"
            Set objCommand.ActiveConnection = objConnection

            objCommand.Properties("Page Size") = 1000
            objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE

            strQuery = "SELECT distinguishedName FROM 'LDAP://" & strDNSDomain & "' WHERE objectCategory = 'User'"

            objCommand.CommandText = strQuery
            Set objRecordSet = objCommand.Execute

            objRecordSet.MoveFirst
            Do Until objRecordSet.EOF
            UserDN = objRecordSet.Fields("distinguishedName").Value
            Set objUser = GetObject("LDAP://" & UserDN)

            ' Begin calculation
            If ADVersion = "2003" Then
            set objLogon = objUser.Get("lastLogonTimeStamp")
            Else
            set objLogon = objUser.Get("lastLogon")
            End If
            intLogonTime = objLogon.HighPart * (2^32) + objLogon.LowPart
            intLogonTime = intLogonTime / (60 * 10000000)
            intLogonTime = intLogonTime / 1440
            intLLTS = intLogonTime + #1/1/1601#
            If DateDiff("d",intLLTS,Date) > 90 Then
            ' Check if Account is Enabled
            If objUser.AccountDisabled = FALSE Then
            ' Disable Account
            objUser.AccountDisabled = TRUE
            objUser.SetInfo
            End If
            wscript.echo Mid(objUser.Name,4) & ",Disabled,last logged on at " & intLLTS
            End If

            objRecordSet.MoveNext
            Loop

            Wscript.Echo "Finished"

            Comment


            • #7
              Re: Logon Disable Policy

              Forgot to mention.... the lastlogon attribute is not replicated in AD, but the lastlogontimestamp is.... so unless you are running AD2003 your results may not be entirely correct. Read here for more:

              http://www.microsoft.com/technet/scr...lastlogon.mspx

              Comment


              • #8
                Re: Logon Disable Policy

                Originally posted by muneer_bom3 View Post
                Hi,

                How to invoke this tool with group policy....


                if users not logged in his user ID should get disable automatically...

                is this possible in group policy or NOT

                Regards
                Muneer
                You are not thinking outside the GPO box.
                the script above might work (i haven't tested it) and you can just schedule it with the task scheduler.
                Marcel
                Technical Consultant
                Netherlands
                http://www.phetios.com
                http://blog.nessus.nl

                MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                "No matter how secure, there is always the human factor."

                "Enjoy life today, tomorrow may never come."
                "If you're going through hell, keep going. ~Winston Churchill"

                Comment


                • #9
                  Re: Logon Disable Policy

                  Originally posted by deadite View Post
                  Here you go... this is set to run on an entire Domain and will disable any account that has not logged on in over 90 days. Please note, you need to set the ADVersion depending on your AD Level (2003 or 2000)


                  ' DisableOldAccounts.vbs
                  Option Explicit
                  On error Resume Next

                  Const ADS_SCOPE_SUBTREE = 2

                  Dim objRootDSE
                  Dim objConnection, objCommand, objRecordSet
                  Dim UserDN, objUser, strDNSDomain, strQuery
                  Dim objLogon, strWeeks, strDays, intLogonTime
                  Dim intLLTS, intReqCompare, ADVersion

                  'ADVersion = "2003"
                  ADVersion = "2000"

                  ' Determine DNS domain name from RootDSE object.
                  Set objRootDSE = GetObject("LDAP://RootDSE")
                  strDNSDomain = objRootDSE.Get("defaultNamingContext")

                  ' Use ADO to search Active Directory for all Users.
                  Set objConnection = CreateObject("ADODB.Connection")
                  Set objCommand = CreateObject("ADODB.Command")
                  objConnection.Provider = "ADsDSOObject"
                  objConnection.Open "Active Directory Provider"
                  Set objCommand.ActiveConnection = objConnection

                  objCommand.Properties("Page Size") = 1000
                  objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE

                  strQuery = "SELECT distinguishedName FROM 'LDAP://" & strDNSDomain & "' WHERE objectCategory = 'User'"

                  objCommand.CommandText = strQuery
                  Set objRecordSet = objCommand.Execute

                  objRecordSet.MoveFirst
                  Do Until objRecordSet.EOF
                  UserDN = objRecordSet.Fields("distinguishedName").Value
                  Set objUser = GetObject("LDAP://" & UserDN)

                  ' Begin calculation
                  If ADVersion = "2003" Then
                  set objLogon = objUser.Get("lastLogonTimeStamp")
                  Else
                  set objLogon = objUser.Get("lastLogon")
                  End If
                  intLogonTime = objLogon.HighPart * (2^32) + objLogon.LowPart
                  intLogonTime = intLogonTime / (60 * 10000000)
                  intLogonTime = intLogonTime / 1440
                  intLLTS = intLogonTime + #1/1/1601#
                  If DateDiff("d",intLLTS,Date) > 90 Then
                  ' Check if Account is Enabled
                  If objUser.AccountDisabled = FALSE Then
                  ' Disable Account
                  objUser.AccountDisabled = TRUE
                  objUser.SetInfo
                  End If
                  wscript.echo Mid(objUser.Name,4) & ",Disabled,last logged on at " & intLLTS
                  End If

                  objRecordSet.MoveNext
                  Loop

                  Wscript.Echo "Finished"
                  may i know how can i install this code at window server 2003?

                  Comment


                  • #10
                    Re: Logon Disable Policy

                    Please read the post in full in which you have quoted. The answer lies within.
                    ** Remember to give credit where credit is due and leave reputation points where appropriate **

                    Comment

                    Working...
                    X