Dead AD accounts

Hi,

I've been tasked with looking through our AD and finding any dead accounts. I'm wondering what you admins out there might suggest as software to find this out. I would prefer it to be something that can be used via a networked pc and not directly on our server. However if thats the only option...

Either showing accounts that have never logged in or havent for a long time.

Any suggestions please?

Many thanks

Amy

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

blargoe

There is an attribute on user accounts that will tell you the last the a user logged in, you will need something that can search on this attribute and report to you. I think dsquery from the 2003 resource kit would give you this info.

Personally I use a package called Hyena to graphically get information like this, it isn't designed specifically for that but you can view and search for users with certain attributes and manipulate the accounts from a GUI.

amyamandaallen

Thanks for the reply

I was looking for something for the more simple minded admin

faa067

You can try a VB script to retrieve the UserObject.PasswordLastChanged attribute and use it to determine the "freshness" of the user accounts.

You can refer to: http://support.microsoft.com/default.aspx/kb/323750

Francois

royal

Get a utility called ADJanitor. It'll search all of AD for accounts that are not being used anymore and let yo bulk disable/bulk move to a specific OU. Exactly what I use for these scenarios.
http://www.specopssoft.com/products/adjanitor/

mzgavc

dsquery user dc=*dcname*,dc=*dcsuffix* -inactive *number of weeks*

For example: dsquery user dc=google,dc.ca -inactive 4 > c:\adresults.txt

Will return anyone who has not logged in in 4 weeks place it in a text file at the root of your personal C:, and show you where they are located in AD. Have your boss outline criteria for a dead account * length of time *.

You can then pipe this through DSMOD to change attributes such as disabling the account, or DSMOVE to put them into a retired users container which disables users using a GPO.

Hope that helps.

EDIT: GUI AD Tools > Microsoft built in DS software any day.

amyamandaallen

hi,

that would probably do it but were on an windows 2000 AD for now until we upgrade later this year. Hence the clearout. I dont have DSQUERY as far as I know.

mzgavc

If you happen to have a copy of 2k3 server around you can install the administrative tools on your computer which will give you the DS* set of commands on your machine to run the queries.

If your 2000 servers are SP3 or higher you should be able to run the queries against your domain.

For the explanation of the SP3 requirement:

http://support.microsoft.com/kb/325465

To Download the 2k3 Server tools:

http://www.microsoft.com/downloads/details.aspx?FamilyID=c16ae515-c8f4-47ef-a1e4-a8dcbacff8e3&displaylang=en

Hope this helps.

blargoe

It should be in the 2000 resource kit too. It might be installed on your domain controller