Dead AD accounts
amyamandaallen
Member Posts: 316
in Off-Topic
Hi,
I've been tasked with looking through our AD and finding any dead accounts. I'm wondering what you admins out there might suggest as software to find this out. I would prefer it to be something that can be used via a networked pc and not directly on our server. However if thats the only option...
Either showing accounts that have never logged in or havent for a long time.
Any suggestions please?
Many thanks
Amy
I've been tasked with looking through our AD and finding any dead accounts. I'm wondering what you admins out there might suggest as software to find this out. I would prefer it to be something that can be used via a networked pc and not directly on our server. However if thats the only option...
Either showing accounts that have never logged in or havent for a long time.
Any suggestions please?
Many thanks
Amy
Remember I.T. means In Theory ( it should works )
Comments
-
blargoe Member Posts: 4,174 ■■■■■■■■■□There is an attribute on user accounts that will tell you the last the a user logged in, you will need something that can search on this attribute and report to you. I think dsquery from the 2003 resource kit would give you this info.
Personally I use a package called Hyena to graphically get information like this, it isn't designed specifically for that but you can view and search for users with certain attributes and manipulate the accounts from a GUI.IT guy since 12/00
Recent: 11/2019 - RHCSA (RHEL 7); 2/2019 - Updated VCP to 6.5 (just a few days before VMware discontinued the re-cert policy...)
Working on: RHCE/Ansible
Future: Probably continued Red Hat Immersion, Possibly VCAP Design, or maybe a completely different path. Depends on job demands... -
amyamandaallen Member Posts: 316Thanks for the reply
I was looking for something for the more simple minded adminRemember I.T. means In Theory ( it should works ) -
faa067 Member Posts: 3 ■□□□□□□□□□You can try a VB script to retrieve the UserObject.PasswordLastChanged attribute and use it to determine the "freshness" of the user accounts.
You can refer to: http://support.microsoft.com/default.aspx/kb/323750
Francois -
royal Member Posts: 3,352 ■■■■□□□□□□Get a utility called ADJanitor. It'll search all of AD for accounts that are not being used anymore and let yo bulk disable/bulk move to a specific OU. Exactly what I use for these scenarios.
http://www.specopssoft.com/products/adjanitor/“For success, attitude is equally as important as ability.” - Harry F. Banks -
mzgavc Member Posts: 75 ■■□□□□□□□□dsquery user dc=*dcname*,dc=*dcsuffix* -inactive *number of weeks*
For example: dsquery user dc=google,dc.ca -inactive 4 > c:\adresults.txt
Will return anyone who has not logged in in 4 weeks place it in a text file at the root of your personal C:, and show you where they are located in AD. Have your boss outline criteria for a dead account * length of time *.
You can then pipe this through DSMOD to change attributes such as disabling the account, or DSMOVE to put them into a retired users container which disables users using a GPO.
Hope that helps.
EDIT: GUI AD Tools > Microsoft built in DS software any day. -
amyamandaallen Member Posts: 316hi,
that would probably do it but were on an windows 2000 AD for now until we upgrade later this year. Hence the clearout. I dont have DSQUERY as far as I know.Remember I.T. means In Theory ( it should works ) -
mzgavc Member Posts: 75 ■■□□□□□□□□If you happen to have a copy of 2k3 server around you can install the administrative tools on your computer which will give you the DS* set of commands on your machine to run the queries.
If your 2000 servers are SP3 or higher you should be able to run the queries against your domain.
For the explanation of the SP3 requirement:
http://support.microsoft.com/kb/325465
To Download the 2k3 Server tools:
http://www.microsoft.com/downloads/details.aspx?FamilyID=c16ae515-c8f4-47ef-a1e4-a8dcbacff8e3&displaylang=en
Hope this helps. -
blargoe Member Posts: 4,174 ■■■■■■■■■□It should be in the 2000 resource kit too. It might be installed on your domain controllerIT guy since 12/00
Recent: 11/2019 - RHCSA (RHEL 7); 2/2019 - Updated VCP to 6.5 (just a few days before VMware discontinued the re-cert policy...)
Working on: RHCE/Ansible
Future: Probably continued Red Hat Immersion, Possibly VCAP Design, or maybe a completely different path. Depends on job demands...