JSI Tip 7358. How can I report all inactive user accounts, and optionally disable them?
October 21, 2003
NOTE:
The tip has been superseded by How can I report all inactive user accounts, and optionally disable them, even if I have multiple domain controllers?
Using DSQUERY, DSGET, and DSMOD (See DSADD for parameters), I have scripted Inactive.bat to report on all user accounts that have been inactive a specified number of weeks, and optionally set them to disabled. The user accounts must have a last name.
The syntax for using Inactive.bat is:
Inactive weeks [/D]
where weeks is the number of weeks since the user last logged onto the domain, a number from 0 through 999, and /D is an optional parameter that will cause all reported inactive user accounts to be disabled.
NOTE: If weeks is 0, no user accounts will be disabled.
NOTE: Inactive.bat creates an Inactive.txt file in the current directory.
NOTE: The lastLogin attribute is only replicated to Windows Server 2003 DCs, so if you have any Windows 2000 DCs, you will have to modify the script to run on each of them.
Inactive.bat contains:
@echo offif {%1}
{} @echo syntax: Inactive weeks /D&goto :EOFif not {%2}
{} if /i {%2} NEQ {/D} @echo syntax: Inactive weeks /D&goto :EOFsetlocalset /a weeks=1000%1%%1000set Disable=Nif not {%2}=={} set Disable=%2if exist Inactive.txt del /q Inactive.txtfor /f "Tokens=*" %%u in ('dsquery user domainroot -inactive %weeks% -limit 0') do set UDN=%%u&call :inaendlocalgoto :EOF:inaset LN=for /f "Skip=1 Tokens=*" %%i in ('dsget user %UDN% -ln') do if /i "%%i" NEQ "dsget succeeded" set LN=%%i#set LN=%LN: #=%set LN=%LN: #=%set LN=%LN:#=%if {%LN%} EQU {} goto :EOFif /i "%Disable%" NEQ "/D" goto reportif %weeks% EQU 0 goto reportcall :disa>nul 2>&1if %ERRORLEVEL% EQU 0 goto report@echo %UDN% failed to disable.>>Inactive.txtgoto :EOF:report@echo %UDN%>>Inactive.txtgoto :EOF:disadsmod user %UDN% -disabled yes
About the Author
You May Also Like