M
Marwan
I need to get a list of all inactive user accounts in Windows 2000 Active
Directory
Directory
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.
You should upgrade or use an alternative browser.
- Status
- Not open for further replies.
M
Meinolf Weber
Hello Marwan,
Do you mean disabled accounts or not used over a long period?
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
Do you mean disabled accounts or not used over a long period?
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
M
Marwan
Hello Meinolf,
I am able to get the list of disabled accounts in the domain. However, i
need to get the list of inactive accounts (for example inactive for the last
70 days).
Thanks and Best Regards,
I am able to get the list of disabled accounts in the domain. However, i
need to get the list of inactive accounts (for example inactive for the last
70 days).
Thanks and Best Regards,
M
Meinolf Weber
Hello Marwan,
Check out this one:
http://codeidol.com/active-director...inding-Users-Who-Have-Not-Logged-On-Recently/
http://www.joeware.net/freetools/tools/oldcmp/index.htm
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
Check out this one:
http://codeidol.com/active-director...inding-Users-Who-Have-Not-Logged-On-Recently/
http://www.joeware.net/freetools/tools/oldcmp/index.htm
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
P
Paul Bergson [MVP-DS]
Check out a script I wrote that will give you multiple attributes of users
including LastLogon at:
http://www.pbbergs.com/windows/downloads.htm
Select User Account Attributes
--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.
including LastLogon at:
http://www.pbbergs.com/windows/downloads.htm
Select User Account Attributes
--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.
M
Marwan
Hello,
Thanks for your fast reply. However, they require Windows Server 2003 domain
functional level, we are running Windows 2000 mixed mode domain level.
I can not use the graphucal user interface neither the dsquery.
olcmp - report -users... will give me when the last time users change their
password.
I am looking for users that have not logged in over a period of time.
Thanks
Thanks for your fast reply. However, they require Windows Server 2003 domain
functional level, we are running Windows 2000 mixed mode domain level.
I can not use the graphucal user interface neither the dsquery.
olcmp - report -users... will give me when the last time users change their
password.
I am looking for users that have not logged in over a period of time.
Thanks
J
Jorge de Almeida Pinto [MVP - DS]
OLDCMP from joeware.net is your friend in this case
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto # MVP Windows Server - Directory Services #
BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto # MVP Windows Server - Directory Services #
BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
R
Richard Mueller [MVP]
oldcmp should do what you want. Or, your can try Joe Richards' adfind.
K
Ken Aldrich
Hello,
If you're looking for a 3rd party solution take a look at DSRAZOR for
Windows. It is not free, but it is very easy to use. It is set up for user
searches right out of the box.
As you may know, Active Directory does not replication the lastLogon
attribute. If you have 3 Domain Controllers and you asked each of those
three DCs the last time a user logged on, you might get three different
responses. You can use various scripts or software to run the queries to
each DC and make the comparison for you... thats what Joe's tool, and
DSRAZOR, does.
When you run DSRAZOR to find these old users you can right-click to generate
a report, or you can select all the users found and press a button to do
something to those accounts. This means that once the search finishes, you
could highlight them all, disable them, and moved them to a disabled user's
OU. Or you could simply delete them. This makes the cleanup job very easy.
Everything is also logged so you have a record of what changes you've made.
You can also automate the applet to run on a scheduled basis to regularly
keep your inactive users cleaned up. Customers tell us that their auditors
really like to see that.
I realize that the other solutions offered in this thread are free and a
perfect fit for many people, but if you want something that is easier to use
and backed by a company that offers free support to customers, then consider
DSRAZOR as an option.
I hope this is helpful to someone.
If you're looking for a 3rd party solution take a look at DSRAZOR for
Windows. It is not free, but it is very easy to use. It is set up for user
searches right out of the box.
As you may know, Active Directory does not replication the lastLogon
attribute. If you have 3 Domain Controllers and you asked each of those
three DCs the last time a user logged on, you might get three different
responses. You can use various scripts or software to run the queries to
each DC and make the comparison for you... thats what Joe's tool, and
DSRAZOR, does.
When you run DSRAZOR to find these old users you can right-click to generate
a report, or you can select all the users found and press a button to do
something to those accounts. This means that once the search finishes, you
could highlight them all, disable them, and moved them to a disabled user's
OU. Or you could simply delete them. This makes the cleanup job very easy.
Everything is also logged so you have a record of what changes you've made.
You can also automate the applet to run on a scheduled basis to regularly
keep your inactive users cleaned up. Customers tell us that their auditors
really like to see that.
I realize that the other solutions offered in this thread are free and a
perfect fit for many people, but if you want something that is easier to use
and backed by a company that offers free support to customers, then consider
DSRAZOR as an option.
I hope this is helpful to someone.
R
Richard Mueller [MVP]
For scripting solutions, I have two sample VBScript programs that can help.
First a program that documents the last logon times for all users in the
domain:
http://www.rlmueller.net/Last Logon.htm
You would use the first program in the link if your domain is not at Windows
2003 functional level. You would run the program at a command prompt using
the cscript host and redirect the output to a text file. For example, you
could use the command:
cscript //nologo LastLogon.vbs > report.txt
The "//nologo" parameter suppresses logo information from the output. This
assumes the file LastLogon.vbs is in the current folder. Otherwise you must
specify the path as well as file name. The command redirects the output to
the text file report.txt in the same folder. This file can be imported into
a spreadsheet for analysis. The fields in the output are delimited by
semicolons. Next, a program that documents the last time each user changed
their password:
http://www.rlmueller.net/PwdLastChanged.htm
This program accepts the name of a file as a parameter and outputs to that
file.
--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
First a program that documents the last logon times for all users in the
domain:
http://www.rlmueller.net/Last Logon.htm
You would use the first program in the link if your domain is not at Windows
2003 functional level. You would run the program at a command prompt using
the cscript host and redirect the output to a text file. For example, you
could use the command:
cscript //nologo LastLogon.vbs > report.txt
The "//nologo" parameter suppresses logo information from the output. This
assumes the file LastLogon.vbs is in the current folder. Otherwise you must
specify the path as well as file name. The command redirects the output to
the text file report.txt in the same folder. This file can be imported into
a spreadsheet for analysis. The fields in the output are delimited by
semicolons. Next, a program that documents the last time each user changed
their password:
http://www.rlmueller.net/PwdLastChanged.htm
This program accepts the name of a file as a parameter and outputs to that
file.
--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
M
Marwan
Thanks Richard for your help.
Your script help me out
Your script help me out
- Status
- Not open for further replies.
Ask a Question
Want to reply to this thread or ask your own question?
You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.