4

We have around 70 current employees, but 178 accounts in ActiveDirectory. The prior administrators never removed old accounts, and sometimes they weren't even disabled.

As it is, I am considering manually reviewing each account to determine if it can be removed. Is there an easier way to remove accounts based on a condition? Such as, remove (or at least disable or flag in some way) users that haven't logged in within the last month or so?

Ryan Fisher
  • 2,228
  • 16
  • 13
Jason Taylor
  • 575
  • 1
  • 4
  • 13

3 Answers3

5

You can use dsquery to locate inactive users:

dsquery user -inactive 10 -limit 0

Should return all users inactive for 10 weeks or more.

From dsquery user /?

...
-inactive <NumWeeks>    Finds users that have been inactive
                        (not logged on) for at least <NumWeeks>
                        number of weeks.
...

You can pipe the output into dsrm if you want to remove the listings from the domain. Please note this will not bother prompting you so apply the appropriate amount of caution.

dsquery user -inactive 10 -limit 0 | dsrm -noprompt

See this somewhat related question: Removing old computers on a domain

Community
  • 1
jscott
  • 24,484
  • 8
  • 79
  • 100
  • Woops, I guess I used the wrong search terms. Thank you! – Jason Taylor Mar 25 '10 at 15:24
  • @Jason: The process is essentially the same for users or computers. dsquery does offer options for each object type. Check "dsquery /?" for more details. – jscott Mar 25 '10 at 15:26
1

If you just run the dsquery in the context of a called batch file with more than one object selected from your dsquery, you'll get "dsmove failed (user) is an unknown parameter".

I have two batches (one for computer accounts and one for user accounts) that run monthly from windows sch tasks. They have the following code:

For Computers:

    for /f "Tokens=*" %%s in ('dsquery computer -inactive 5 -limit 0') do ( 
DSMOVE %%s -newparent "OU=Computers,OU=Quarantine,OU=MyOu,DC=MyDomain,DC=local" 
)

For Users:

        for /f "Tokens=*" %%s in ('dsquery user -inactive 5 -limit 0') do ( 
DSMOVE %%s -newparent "OU=Users,OU=Quarantine,OU=MyOu,DC=MyDomain,DC=local" 
)

I have GPOs applied to those "Quarantine" OUs that have logon prompts to notify the user that the user account, or the computer account, is going to be deleted and to contact the Help Desk if they believe that is in error. The GPOs also do some lock down actions. Then I review the moved objects for manually delete if I don't see any exceptions (like a user on a long vacation, or offline, but important server).

You can change the "do" dsmove to dsrm, if you want to skip the OU move and review.

See here: Active Directory Script: DSMOVE failed

Community
  • 1
Malnizzle
  • 1,441
  • 2
  • 16
  • 30
0

If you are a fan of Powershell, I'd visit www.quest.com and use their suite of tools for Active Directory. They're free.

PowerShell Commands for Active Directory

The ActiveRoles Management Shell for Active Directory is a set of PowerShell commands that can be used to perform and automate administrative tasks like discovering the AD environment, changing user properties, modifying group membership, provisioning new user accounts, and performing multiple other tasks within Active Directory.

wbogacz
  • 101
  • 2
  • 2
  • 6