A. Recently, I had a client who had an organizational unit (OU) that served as a temporary holding container for recently created user accounts. Ideally, the OU shouldn't hold accounts for more than one month. Over time, the OU had accumulated more than 50,000 accounts, and the client wanted to delete from it all accounts older than 60 days.
I used a two-phase approach to meet the client's request. First, I created a text file (userlist.txt) to hold a list of all the accounts older than 60 days. The entries in the file are distinguished name (DN) of objects. Then, I wrote the listusersolder.vbs script, which used the information in that file to output the list of accounts that are more than 60 days old. I used another script, which I provide in the FAQ "How can I delete from Active Directory (AD) user accounts that are listed in a file?" (FAQ), to delete all accounts in the file. You can download listusersolder.vbs at Code. Save the script as listusersolder.vbs. Remember to modify the script to include information specific to your installation.
'listusersolder.vbs ' John Savill 19 August 2004 Option Explicit Dim strFilePath, strLdapPath, strDate, objFSO, objFile, objConnection, objChild, dtmCreate, selectedDate ' Check that all required arguments have been passed. If Wscript.Arguments.Count
required. _ For example:" & vbCrLf & "cscript listusersolder.vbs _ ou=test,dc=demo,dc=test 6/10/2004 c:\temp\UserList.txt" Wscript.Quit(0) End If strLdapPath = Wscript.Arguments(0) strDate = Wscript.Arguments(1) selectedDate = DateValue(strDate) strFilePath = Wscript.Arguments(2) Set objFSO = CreateObject("Scripting.FileSystemObject") ' Open the file for write access. On Error Resume Next Set objFile = objFSO.OpenTextFile(strFilePath, 2, True, 0) If Err.Number 0 Then On Error GoTo 0 Wscript.Echo "File " & strFilePath & " cannot be opened" Wscript.Quit(1) End If On Error GoTo 0 Set objConnection = GetObject("LDAP://" & strLdapPath) objConnection.Filter = Array("user") For Each objChild In objConnection objChild.GetInfoEx Array("createTimeStamp"), 0 dtmCreate = objChild.Get("createTimeStamp") if dtmCreate
To run listusersolder.vbs, you pass it the name of a root-level container to check for accounts older than the date passed, an "older-than" date, and the name of a file to output the old accounts to, as the following sample command shows:cscript listusersolder.vbs ou=testing,dc=demo,dc=local 6/10/2004 c:\temp\list.txt
You'll see output on screen that's similar to this:Microsoft (R) Windows Script Host Version 5.6 Copyright (C) Microsoft Corporation 1996-2001. All rights reserved. CN=Barry Allen 6/2/2004 10:59:32 PM * CN=Bruce Wayne 6/11/2004 6:30:40 PM CN=Clark Kent 6/2/2004 10:55:14 PM * CN=DeleteMe 8/19/2004 4:02:04 PM Operation Completed
Notice that any account that was created before 6/10/2004 has an asterisk (*) next to it. The contents of the list.txt file look like the following:CN=Barry Allen,OU=testing,DC=demo,DC=local|6/2/2004 10:59:32 PM CN=Clark Kent,OU=testing,DC=demo,DC=local|6/2/2004 10:55:14 PM
In the text file, a pipe character (|) separates the account and its creation time.