Re: How to generate a report of inactive domain user accounts

From: Tony Gordon (tony.gordon@hewitt.com)
Date: 04/12/03

  • Next message: Chapman, Justin T: "RE: How to generate a report of inactive domain user accounts"
    To: Brian E <brian_anon@hotmail.com>
    From: "Tony Gordon" <tony.gordon@hewitt.com>
    Date: Fri, 11 Apr 2003 17:00:43 -0500
    
    

    It might be easier to key off of lastpasswordchange then last logon time,
    especially taking into account your other requirement (only deal with
    accounts that have expiring pwd). I think this attribute is replicated
    across DC's while last logon is specific to each DC.

    Thank you, Tony.
    Tony Gordon, Windows 2000 MCSE
    tony.gordon@hewitt.com
    Windows Server Infrastructure
    Phone: 847.295.5000 x14534
    Fax: 847.295.8877
    Hewitt Associates

    Brian E <brian_anon@hotmail.com>
    04/11/2003 06:55 AM

     
            To: focus-ms@securityfocus.com
            cc:
            Subject: How to generate a report of inactive domain user accounts

    Can anyone provide some suggestions or list of tools available to generate

    a report of inactive domain user accounts within an OU?

    We're using Active Directory with Windows 2000 and have OU's defined for

    different groups of users. I'd like to generate the report by OU.

    We also have multiple domain controllers (I've had issues with "last true

    logon" in the past). I would like a list of user who have not logged in

    within X days (preferably 90 days, but I'd like to modify this threshold).

    Criteria for an inactive account:

    -Not logged on for X days (X will be provided at time of generating the

    report)

    -Not disabled

    -Password is set to expire

    Regard,

    Brian

    brian_anon@hotmail.com

    ----------------------------------------------------------------------
    Block Spam, Smut & Viruses
    SurfControl E-mail Filter for SMTP & Exchange leverages multiple layers of
    technology including filtering embedded and attached file content. Rid
    your
    enterprise of unwanted content.
    http://www.securityfocus.com/SurfControl-focus-ms2
    Download your free fully functional trial, complete with 30-days of free
    technical support.
    ----------------------------------------------------------------------

    ----------------------------------------------------------------------
    Block Spam, Smut & Viruses
    SurfControl E-mail Filter for SMTP & Exchange leverages multiple layers of
    technology including filtering embedded and attached file content. Rid your
    enterprise of unwanted content.
    http://www.securityfocus.com/SurfControl-focus-ms2
    Download your free fully functional trial, complete with 30-days of free
    technical support.
    ----------------------------------------------------------------------


  • Next message: Chapman, Justin T: "RE: How to generate a report of inactive domain user accounts"

    Relevant Pages

    • Re: User Login
      ... filtering so that only this group gets the deny logon locally privilegs. ... the domain group called Domain Users is a member of the local ... put those user accounts into domain group and apply a GPO to the OU ... "Meinolf Weber" wrote: ...
      (microsoft.public.windows.server.active_directory)
    • Re: RODC ...
      ... Win2003 DCs with RODC the WAN link between the RODC and RWDC goes ... Only then the users are able to logon if the WAN link is down. ... The Password Replication Policy acts as an access control list. ... The Password Replication Policy lists the accounts that are permitted ...
      (microsoft.public.windows.server.active_directory)
    • Re: Account Lockout Policies
      ... Deleting user accounts after 30 days of inactivity allows a windows of opportunity of 30 days for an ex-user to re-use the network. ... If a technical solution is unavoidable due to a lack of management buy-in, there are a few ways that it can be achieved. ... Ascertain from those logs when users last logged in and add 30 days. ... From the users logon script, touch a unique file in a common area. ...
      (microsoft.public.security)
    • Re: Disabling Interactive Logon Against Security Group
      ... A less that fully perfect route to consider would be a logon script ... for those accounts that inquires as to what machine is being logged ... question "disable interactive logon privilages against specific OU/User ... If you set this in a GPO then the list that is to be denied that you ...
      (microsoft.public.security)
    • Re: Server 2003 Local Login
      ... No that's not possible, only domain accounts can be used for logon at DCs, ... the same behavior in Windows 2000 Server. ... >> Microsoft MVP - Directory Services ...
      (microsoft.public.windows.server.active_directory)