Dead AD accounts

amyamandaallenamyamandaallen Member Posts: 316
Hi,

I've been tasked with looking through our AD and finding any dead accounts. I'm wondering what you admins out there might suggest as software to find this out. I would prefer it to be something that can be used via a networked pc and not directly on our server. However if thats the only option...

Either showing accounts that have never logged in or havent for a long time.

Any suggestions please? :D

Many thanks

Amy
Remember I.T. means In Theory ( it should works )

Comments

  • blargoeblargoe Member Posts: 4,174 ■■■■■■■■■□
    There is an attribute on user accounts that will tell you the last the a user logged in, you will need something that can search on this attribute and report to you. I think dsquery from the 2003 resource kit would give you this info.

    Personally I use a package called Hyena to graphically get information like this, it isn't designed specifically for that but you can view and search for users with certain attributes and manipulate the accounts from a GUI.
    IT guy since 12/00

    Recent: 11/2019 - RHCSA (RHEL 7); 2/2019 - Updated VCP to 6.5 (just a few days before VMware discontinued the re-cert policy...)
    Working on: RHCE/Ansible
    Future: Probably continued Red Hat Immersion, Possibly VCAP Design, or maybe a completely different path. Depends on job demands...
  • amyamandaallenamyamandaallen Member Posts: 316
    Thanks for the reply

    I was looking for something for the more simple minded admin :D
    Remember I.T. means In Theory ( it should works )
  • faa067faa067 Member Posts: 3 ■□□□□□□□□□
    You can try a VB script to retrieve the UserObject.PasswordLastChanged attribute and use it to determine the "freshness" of the user accounts.

    You can refer to: http://support.microsoft.com/default.aspx/kb/323750

    Francois
  • royalroyal Member Posts: 3,352 ■■■■□□□□□□
    Get a utility called ADJanitor. It'll search all of AD for accounts that are not being used anymore and let yo bulk disable/bulk move to a specific OU. Exactly what I use for these scenarios.
    http://www.specopssoft.com/products/adjanitor/
    “For success, attitude is equally as important as ability.” - Harry F. Banks
  • mzgavcmzgavc Member Posts: 75 ■■□□□□□□□□
    dsquery user dc=*dcname*,dc=*dcsuffix* -inactive *number of weeks*

    For example: dsquery user dc=google,dc.ca -inactive 4 > c:\adresults.txt

    Will return anyone who has not logged in in 4 weeks place it in a text file at the root of your personal C:, and show you where they are located in AD. Have your boss outline criteria for a dead account * length of time *.

    You can then pipe this through DSMOD to change attributes such as disabling the account, or DSMOVE to put them into a retired users container which disables users using a GPO.

    Hope that helps.

    EDIT: GUI AD Tools > Microsoft built in DS software any day.
  • amyamandaallenamyamandaallen Member Posts: 316
    hi,

    that would probably do it but were on an windows 2000 AD for now until we upgrade later this year. Hence the clearout. I dont have DSQUERY as far as I know. icon_confused.gif
    Remember I.T. means In Theory ( it should works )
  • mzgavcmzgavc Member Posts: 75 ■■□□□□□□□□
    If you happen to have a copy of 2k3 server around you can install the administrative tools on your computer which will give you the DS* set of commands on your machine to run the queries.

    If your 2000 servers are SP3 or higher you should be able to run the queries against your domain.

    For the explanation of the SP3 requirement:

    http://support.microsoft.com/kb/325465

    To Download the 2k3 Server tools:

    http://www.microsoft.com/downloads/details.aspx?FamilyID=c16ae515-c8f4-47ef-a1e4-a8dcbacff8e3&displaylang=en

    Hope this helps.
  • blargoeblargoe Member Posts: 4,174 ■■■■■■■■■□
    It should be in the 2000 resource kit too. It might be installed on your domain controller
    IT guy since 12/00

    Recent: 11/2019 - RHCSA (RHEL 7); 2/2019 - Updated VCP to 6.5 (just a few days before VMware discontinued the re-cert policy...)
    Working on: RHCE/Ansible
    Future: Probably continued Red Hat Immersion, Possibly VCAP Design, or maybe a completely different path. Depends on job demands...
Sign In or Register to comment.