Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Inactive Accounts

262 views
Skip to first unread message

Danny Phillips

unread,
Feb 3, 2004, 3:50:13 PM2/3/04
to
Is there a way to get a list of accounts that have not
been used in xdays.

Danny

Al Dunbar [MS-MVP]

unread,
Feb 3, 2004, 9:34:32 PM2/3/04
to

"Danny Phillips" <dphi...@sapc.edu> wrote in message
news:9a6201c3ea97$52559e90$a401...@phx.gbl...

> Is there a way to get a list of accounts that have not
> been used in xdays.

Define "used". If this includes being used as credentials to acquire some
resource (i.e. mapping a share) under someone's credentials, or being used
as a service account, that might be difficult.

If you just mean used to log into the network, you would have to enquire of
each domain controller when the user last logged in. If you only want an
approximation, and if you have a policy that requires the password to be
changed periodically, you could look at the last password change date, and
would only need to get this from a single domain controller.

/Al


Richard Mueller [MVP]

unread,
Feb 3, 2004, 9:33:16 PM2/3/04
to
Danny Phillips wrote:

> Is there a way to get a list of accounts that have not
> been used in xdays.

Hi,

First, Joe Richards has a new tool called OLDCMP on his web site on the free
Win32 tools page:

www.joeware.net

It reports and disables old computer accounts based on the password age of
the account.

If you need a scripting solution, I have a sample VBScript program that
outputs all users in the domain and the date their password was last set.
The program is linked on this page:

http://www.rlmueller.net/PwdLastChanged.htm

The output text file can be imported into a spreadsheet for analysis. This
program can be modified to report on computers instead of users. The change
is documented in the code. You would replace the following statements:

' Filter to retrieve all user objects.
strFilter = "(&(objectCategory=person)(objectClass=user))"

with this:

' Filter to retrieve all computer objects.
strFilter = "(objectCategory=computer)"

By default, computer passwords are changed by the system every 30 days (some
documentation says 7 days, but I see 30 days in my domain). If a computer
object last had it's password changed 100 days ago, you know it has not been
on the network for at least 70 days.

If you are asking about user accounts, and you have users that are not
required to change their password, you have to use the lastLogon attribute
to find inactive accounts. This is similar to the pwdLastSet attribute used
by the program above, except that this attribute is not replicated. For each
user (and computer), a different value is stored on each Domain Controller
(DC) in the domain (unless your domain is at W2k3 functional level). To
determine the lastLogon date for each user, you must query every DC in the
domain. This can take awhile in a large network. I have a sample VBScript
program to report the lastLogon date for every user in the domain linked on
this page:

http://www.rlmueller.net/Last%20Logon.htm

Again, the output can be imported into a spreadsheet. The program uses ADO
to retrieve all the information from each DC in one operation, without the
need to bind to each user object. This makes the program much faster than
other scripting techniques.

--
Richard
Microsoft MVP Scripting and ADSI
HilltopLab web site - http://www.rlmueller.net
--


Danny Phillips

unread,
Feb 6, 2004, 8:48:59 AM2/6/04
to
Thanks for your help the LastLogon.vbs is exactly what I
am looking for.

Danny,

>.
>

0 new messages