Expired v Disabled User Accounts and DSQUERY

[Mark Heywood]

Hi

3 q's :

1. Are there any security benefits to disabling expired user accounts, or
are they effectively already disabled by the fact that they have expired ?

We have a client who already expires user accounts every 3 months, now they
want us to go through and disable all the expired user accounts.

2. Secondly, how can we find all inactive accounts which are not already
disabled ?

I can use DSQUERY to find inactive accounts and inactive accounts which are
also disabled, but not inactive accounts which are not already disabled
(there is no -enabled option).

I would like to eventually automate the task of finding all inactive
accounts for x wks and disabling them.

However, my tests so far have revealed that AD accounts for Exchange
resources (such as meeting rooms) and also the IIS IUSR_<svrnanme> accounts
come up as inactive, since they are not actually used to logon. Things are
going to break if I disable these accounts through a DSQUERY .... | DSMOD
..... script.

3. Finally, how does DSQUERY find inactive accounts, does it only check
against a single domain controller or does it check all of them ? - I read
that the Last Login info is not replicated and therefore different values
may be returned from each DC for a given user.

Any suggestions much appreciated

Regards

Mark.

 

[Jerold Schulman]

Hi

3 q's :

1. Are there any security benefits to disabling expired user accounts, or
are they effectively already disabled by the fact that they have expired ?

We have a client who already expires user accounts every 3 months, now they
want us to go through and disable all the expired user accounts.

An expired account cannot be authenticated. Disabling would yield
no real benefit, other than your client's peace of mind.

2. Secondly, how can we find all inactive accounts which are not already
disabled ?

I can use DSQUERY to find inactive accounts and inactive accounts which are
also disabled, but not inactive accounts which are not already disabled
(there is no -enabled option).

Watch for line wrap:

@echo on
setlocal
for /f "Tokens=*" %%a in ('dsquery user domainroot -inactive 3^|dsget user -dn -disabled ^|find " no "') do (
set dn=%%a
)
set dn=%dn: no =%#
set dn=%dn: =%
set dn=%dn: #=%
set dn=%dn:#=%
endlocal

I would like to eventually automate the task of finding all inactive
accounts for x wks and disabling them.

However, my tests so far have revealed that AD accounts for Exchange
resources (such as meeting rooms) and also the IIS IUSR_<svrnanme> accounts
come up as inactive, since they are not actually used to logon. Things are
going to break if I disable these accounts through a DSQUERY .... | DSMOD
.... script.

3. Finally, how does DSQUERY find inactive accounts, does it only check
against a single domain controller or does it check all of them ? - I read
that the Last Login info is not replicated and therefore different values
may be returned from each DC for a given user.

Any suggestions much appreciated

See tip 7801 in the 'Tips & Tricks' at http://www.jsiinc.com

Jerold Schulman
Windows: General MVP
JSI, Inc.
http://www.jsiinc.com

 

[Jerold Schulman]

Oops

Hi

3 q's :

1. Are there any security benefits to disabling expired user accounts, or
are they effectively already disabled by the fact that they have expired ?

We have a client who already expires user accounts every 3 months, now they
want us to go through and disable all the expired user accounts.

2. Secondly, how can we find all inactive accounts which are not already
disabled ?

I can use DSQUERY to find inactive accounts and inactive accounts which are
also disabled, but not inactive accounts which are not already disabled
(there is no -enabled option).

Watch for line wrap:

@echo on
setlocal
for /f "Tokens=*" %%a in ('dsquery user domainroot -inactive 3^|dsget user -dn -disabled ^|find " no "') do (
set dn=%%a
call :fixdn
)
endlocal
goto :EOF
:fixdn
set dn=%dn: no =%#
set dn=%dn: =%
set dn=%dn: #=%
set dn=%dn:#=%
@echo %dn%

I would like to eventually automate the task of finding all inactive
accounts for x wks and disabling them.

However, my tests so far have revealed that AD accounts for Exchange
resources (such as meeting rooms) and also the IIS IUSR_<svrnanme> accounts
come up as inactive, since they are not actually used to logon. Things are
going to break if I disable these accounts through a DSQUERY .... | DSMOD
.... script.

3. Finally, how does DSQUERY find inactive accounts, does it only check
against a single domain controller or does it check all of them ? - I read
that the Last Login info is not replicated and therefore different values
may be returned from each DC for a given user.

See tip 7801 in the 'Tips & Tricks' at http://www.jsiinc.com

Jerold Schulman
Windows: General MVP
JSI, Inc.
http://www.jsiinc.com

 

[Joe Richards [MVP]]

1. Possibly. An expired account can have the password changed if someone knows
the old one (or can guess it) and then they can use it.

2. Take a look at my oldcmp tool at http://www.joeware.net/win/free/tools/oldcmp.htm

It was initially written to clean up computer accounts but is flexible enough to
do users if you use the -f option. Details on the page specified above. You can
read more about it in the current Windows IT Pro magazine.

3. dsquery uses a special new attribute available in Windows 2003 for domains in
domain functional mode. It uses the attribute lastlogontimestamp which is
updated about every 7-10 days. It will not work on W2K or K4 domains not in
domain functional mode.

joe