AD User - How to disable on 90 days of inactivity

F

Fred Yarbrough

We are running a Windows 2003 Active Directory domain in Native mode. Our
management is wanting to disable user accounts for people who have not
logged into their accounts in the past 90 days. How is the best way to go
about this (policy, script, 3rd party tool)?


Thanks,
Fred
 
T

Tomasz Onyszko

Fred said:
We are running a Windows 2003 Active Directory domain in Native mode. Our
management is wanting to disable user accounts for people who have not
logged into their accounts in the past 90 days. How is the best way to go
about this (policy, script, 3rd party tool)?
Click to expand...
The only solution is external tool or script which will look at the
accounts on all domain controllers and check last logon date

here You hae an example of such script in Perl
http://www.rallenhome.com/books/adcookbook/src/06.28-not_logged_on_recently.pls.txt


Another thing came to my mind - You can implement a login script which
will put into a database (simple HTTP request with user logon name) a
date of users last logon - and another proces on daily basis will update
user accounts expiration date to be valid for next few months - but
the problem is that You will have to mark the users whos accounts should
not be updated and :)) ... this is just idea, a lot of things to
consider with such approach.
 
S

Steven L Umbach

Since you are using Windows 2003 you can use the AD command line tools dsquery and
dsmod. For instance you can look for users who have been inactive for the last seven
weeks with " dsquery user -inactive 7 ". Then you could pipe it to the dsmod command
to disable those users as in " dsquery user -inactive 7 | dsmod user -disabled yes ".
Of course those commands have a great deal of flexibility and you can find out more
in the link below. The last link is to a JSI tip on using these tools in a script
where you can specify a date. --- Steve

http://www.microsoft.com/windowsxp/...using/productdoc/en/DS_command_line_tools.asp
http://www.jsiinc.com/SUBQ/tip8200/rh8260.htm
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

How to logoff user after xx minutes of desktop inactivity 1
View whole AD with adminpak.msi 3
How to automatically disable user accounts by system 3
Password age on user accounts on local computers 5
How to disable the use of adminpak.msi? 4
How to use Autoarchive to delete mail older than 90 days. 3
Unable To Change Account Lockout Policy in AD 1
Looking to disable AD HOC option 3

Top