M
Mark Heywood
Hi
3 q's :
1. Are there any security benefits to disabling expired user accounts, or
are they effectively already disabled by the fact that they have expired ?
We have a client who already expires user accounts every 3 months, now they
want us to go through and disable all the expired user accounts.
2. Secondly, how can we find all inactive accounts which are not already
disabled ?
I can use DSQUERY to find inactive accounts and inactive accounts which are
also disabled, but not inactive accounts which are not already disabled
(there is no -enabled option).
I would like to eventually automate the task of finding all inactive
accounts for x wks and disabling them.
However, my tests so far have revealed that AD accounts for Exchange
resources (such as meeting rooms) and also the IIS IUSR_<svrnanme> accounts
come up as inactive, since they are not actually used to logon. Things are
going to break if I disable these accounts through a DSQUERY .... | DSMOD
..... script.
3. Finally, how does DSQUERY find inactive accounts, does it only check
against a single domain controller or does it check all of them ? - I read
that the Last Login info is not replicated and therefore different values
may be returned from each DC for a given user.
Any suggestions much appreciated
Regards
Mark.
3 q's :
1. Are there any security benefits to disabling expired user accounts, or
are they effectively already disabled by the fact that they have expired ?
We have a client who already expires user accounts every 3 months, now they
want us to go through and disable all the expired user accounts.
2. Secondly, how can we find all inactive accounts which are not already
disabled ?
I can use DSQUERY to find inactive accounts and inactive accounts which are
also disabled, but not inactive accounts which are not already disabled
(there is no -enabled option).
I would like to eventually automate the task of finding all inactive
accounts for x wks and disabling them.
However, my tests so far have revealed that AD accounts for Exchange
resources (such as meeting rooms) and also the IIS IUSR_<svrnanme> accounts
come up as inactive, since they are not actually used to logon. Things are
going to break if I disable these accounts through a DSQUERY .... | DSMOD
..... script.
3. Finally, how does DSQUERY find inactive accounts, does it only check
against a single domain controller or does it check all of them ? - I read
that the Last Login info is not replicated and therefore different values
may be returned from each DC for a given user.
Any suggestions much appreciated
Regards
Mark.