Aging Accounts

[a]

Guys, I am looking for an effective way to deal with some aging accounts. I
have users in my environment which do not always come in to the office. I am
trying to determine who is no longer using my network. therfore I am asking
two things: IS there a way to query the Active Directory for every computer
account in AD and its last logged on user and on what date?

My thought is that if I can sort all of my accounts in excel or something by
last loged on date, I can see how old the account really is an dwho logged
on to it. This way, I can start deleting accounts.

Any help, idea or thought would be apprecaited.

Alex

 

[Richard Mueller [MVP]]

Guys, I am looking for an effective way to deal with some aging accounts. I
have users in my environment which do not always come in to the office. I am
trying to determine who is no longer using my network. therfore I am asking
two things: IS there a way to query the Active Directory for every computer
account in AD and its last logged on user and on what date?

My thought is that if I can sort all of my accounts in excel or something by
last loged on date, I can see how old the account really is an dwho logged
on to it. This way, I can start deleting accounts.

Any help, idea or thought would be apprecaited.

Hi,

I have two sample VBScript programs to help locate inactive user/computer
accounts. First, a program that documents all users in the domain and the
last time they logged on is linked on this page:

http://www.rlmueller.net/Last Logon.htm

Next, a sample program that documents all users and the last date their
password was set is linked on this page:

http://www.rlmueller.net/PwdLastChanged.htm

In both cases, the information can be imported into a spreadsheet for
analysis. If users are not necessarily required to change their password
periodically, you must use the lastLogon date.

The program to retrieve the pwdLastSet date queries just one Domain
Controller (DC), so it should be quite fast. The lastLogon attribute, is not
replicated, so the LastLogon program must query every DC in the domain for
the largest (latest) value for each user. Although the program is efficient
(it does not bind to each user object), it can still take awhile to run in a
large network, especially if there are slow links.

Both programs can be modified to retrieve the information for computer
objects instead of user objects. The required modification is given on the
pages linked. Since the default is for the system to reset computer account
passwords every 30 days, it is most efficient to use the PwdLastChanged
program for computer accounts, since that program only queries one DC.

It is not possible to query every client and determine who last logged into
it (and when). I believe the programs I linked above should give you what
you need. However, if you want to track who logs into which computers when,
you can use a logon script that logs this information to a shared log file.
I have used similar code for many years. I have a sample logon script
program that does this linked on this page:

http://www.rlmueller.net/Logon5.htm

 

[Active Directory Janitor DevTeam]

Hello Alex

I would really like to advice you to take a look at Active Directory
Janitor (http://www.adjanitor.com) It will do exactly this for you in
a controlled and quick way. It can be downloaded and tested right
away. You could try to do the same with a script but it would not give
you this:

* Easy-to-use user interface, don't take my word for it look here
for some examples: http://www.adjanitor.com/screenshots
* The scanning operation is multithreaded giving a huge performance
advantage over scripting. The progress of the scanning is displayed
visually and can be aborted.
* The computers can be selected by partial names, by domains/OUs or
even imported from text files on the fly. Multiple domains and
subdomains are supported.
* All the computers are pinged in parallell to help decide if the
accounts are active or not.
* Up to 15 different properties are collected from the computers, for
example last logon, create date, OU. This icludes properties that are
not replicated in AD. The computer list can be sorted by anyone of
these.
* Computers can be selected for deletion, disabling OR enabling.
* A robust well tested application.
* Finally, compare the hours of implementing, testing and maintaining
a script solution to make it reliable and robust to the $49.95 that
Active Directory Janitor costs!

Tomas
Active Directory DevTeam