Danny
Define "used". If this includes being used as credentials to acquire some
resource (i.e. mapping a share) under someone's credentials, or being used
as a service account, that might be difficult.
If you just mean used to log into the network, you would have to enquire of
each domain controller when the user last logged in. If you only want an
approximation, and if you have a policy that requires the password to be
changed periodically, you could look at the last password change date, and
would only need to get this from a single domain controller.
/Al
> Is there a way to get a list of accounts that have not
> been used in xdays.
Hi,
First, Joe Richards has a new tool called OLDCMP on his web site on the free
Win32 tools page:
It reports and disables old computer accounts based on the password age of
the account.
If you need a scripting solution, I have a sample VBScript program that
outputs all users in the domain and the date their password was last set.
The program is linked on this page:
http://www.rlmueller.net/PwdLastChanged.htm
The output text file can be imported into a spreadsheet for analysis. This
program can be modified to report on computers instead of users. The change
is documented in the code. You would replace the following statements:
' Filter to retrieve all user objects.
strFilter = "(&(objectCategory=person)(objectClass=user))"
with this:
' Filter to retrieve all computer objects.
strFilter = "(objectCategory=computer)"
By default, computer passwords are changed by the system every 30 days (some
documentation says 7 days, but I see 30 days in my domain). If a computer
object last had it's password changed 100 days ago, you know it has not been
on the network for at least 70 days.
If you are asking about user accounts, and you have users that are not
required to change their password, you have to use the lastLogon attribute
to find inactive accounts. This is similar to the pwdLastSet attribute used
by the program above, except that this attribute is not replicated. For each
user (and computer), a different value is stored on each Domain Controller
(DC) in the domain (unless your domain is at W2k3 functional level). To
determine the lastLogon date for each user, you must query every DC in the
domain. This can take awhile in a large network. I have a sample VBScript
program to report the lastLogon date for every user in the domain linked on
this page:
http://www.rlmueller.net/Last%20Logon.htm
Again, the output can be imported into a spreadsheet. The program uses ADO
to retrieve all the information from each DC in one operation, without the
need to bind to each user object. This makes the program much faster than
other scripting techniques.
--
Richard
Microsoft MVP Scripting and ADSI
HilltopLab web site - http://www.rlmueller.net
--
Danny,
>.
>