RE: Expire accounts from Active Directory after a period of inactivity

From: Nero, Nick (Nick.Nero@disney.com)
Date: 03/21/03

Next message: Dozal, Tim: "RE: MS03-007 Round-up"

Previous message: Kurt Keys: "Re: Anyone have hard evidence of problems with WindowsAutomatic Upda tes?"
Maybe in reply to: Matt Grogan: "Expire accounts from Active Directory after a period of inactivity"
Next in thread: Laura A. Robinson: "RE: Expire accounts from Active Directory after a period of inactivity"
Reply: Laura A. Robinson: "RE: Expire accounts from Active Directory after a period of inactivity"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 21 Mar 2003 16:23:25 -0500
From: "Nero, Nick" <Nick.Nero@disney.com>
To: "Clark, Andre M." <Andre.Clark@aoltw.com>, "Matt Grogan" <mattgrogan@bnbbank.com>, <focus-ms@securityfocus.com>

The VBScript for that would be painfully easy. Query AD in the OU with
your user groups for all accounts that have been inactive for 30 or more
days, then you can simply disable them with a similar ADSI method.

It does seem better though to store the output to a SQL database. If
you have a large AD tree (we have 70,000 user accounts!) querying it can
really be torturous to your DC's. Query it once a month or once a week
on sat. night and then query the database more frequently.

-----Original Message-----
From: Clark, Andre M. [mailto:Andre.Clark@aoltw.com]
Sent: Thursday, March 20, 2003 6:40 PM
To: Matt Grogan; focus-ms@securityfocus.com

Matt,

I haven't seen anything native in AD to do this but there are great AD
delegation/enhancement tools that can do it (i.e. NetIQ's Directory and
Resource Administrator). Your other option, and this would depend on
your scripting expertise, would be to write either a VBS or Perl script
that could accomplish this task.

-----Original Message-----
From: Matt Grogan [mailto:mattgrogan@bnbbank.com]
Sent: Thursday, March 20, 2003 10:06
To: focus-ms@securityfocus.com
Subject: Expire accounts from Active Directory after a period of
inactivity

Hi,

I'm just wondering if anyone knows of a way to have Active Directory
acounts automatically disable if the account has not been logged onto
for a specified period of time (say 30 days).

Thank you.

----------------------------------------------------------------------
ALERT: How a Hacker Uses SQL Injection to Steal Your SQL Data! It's as
simple as placing additional SQL commands into a Web Form input
box giving hackers complete access to all your backend systems!
http://www.spidynamics.com/mktg/sqlinjection33

========================================================================
======
This message is the property of AOL Time Warner Inc. and is intended
only for the use of the addressee(s) and may be legally privileged
and/or confidential. If the reader of this message is not the intended
recipient, or the employee or agent responsible to deliver it to the
intended recipient, he or she is hereby notified that any dissemination,
distribution, printing, forwarding, or any method of copying of this
information, and/or the taking of any action in reliance on the
information herein is strictly prohibited except by the original
recipient or those to whom he or she intentionally distributes this
message. If you have received this communication in error, please
immediately notify the sender, and delete the original message and any
copies from your computer or storage system. Thank you

========================================================================
======

----------------------------------------------------------------------
ALERT: How a Hacker Uses SQL Injection to Steal Your SQL Data!
It's as simple as placing additional SQL commands into a Web Form input
box giving hackers complete access to all your backend systems!
http://www.spidynamics.com/mktg/sqlinjection33

Next message: Dozal, Tim: "RE: MS03-007 Round-up"

Previous message: Kurt Keys: "Re: Anyone have hard evidence of problems with WindowsAutomatic Upda tes?"
Maybe in reply to: Matt Grogan: "Expire accounts from Active Directory after a period of inactivity"
Next in thread: Laura A. Robinson: "RE: Expire accounts from Active Directory after a period of inactivity"
Reply: Laura A. Robinson: "RE: Expire accounts from Active Directory after a period of inactivity"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

RE: Expire accounts from Active Directory after a period of inactivity
... One thing to be conscious of- in Windows 2000, ... you could not simply query AD for this information- you would ... How a Hacker Uses SQL Injection to Steal Your SQL ... > box giving hackers complete access to all your backend systems! ...
(Focus-Microsoft)
Re: Problem with login code
... the SqlParameter object). ... accounts by adding some carefully crafted SQL statements into your Email ... > does not match with a table name or alias name used in the query. ...
(microsoft.public.dotnet.framework.aspnet)
Run-time error -2147217865(80040e37):
... But if i copy the same query and run into the database it works fine ... 'Adjust day to query accounts that have not had a payment since ... 'Specify balance range of accounts to return ... SQL = StringToSQL ...
(microsoft.public.vb.general.discussion)
Re: Simple Sum Calculation but I cant work it out......
... This is the SQL query I have: ... GROUP BY Test.[Customer Accounts]; ... >I do it using straight SQL... ... CalculatedValue from tblSomeTable GROUP BY ...
(microsoft.public.access.queries)
RE: Expire accounts from Active Directory after a period of inact ivity
... script can run once a week to query those accounts that haven't been logged ... How a Hacker Uses SQL Injection to Steal Your SQL Data! ... box giving hackers complete access to all your backend systems! ...
(Focus-Microsoft)