Need a way to automatically identify and disable accounts after 90 days of inactivity. The environment is Windows Server 2008 and Active Directory is not used. I find scripts to doing this when AD is used but nothing otherwise.
Asked
Active
Viewed 9,847 times
3
-
Do you simply mean local/builtin user accounts on the server? – Univ426 Jun 13 '12 at 21:46
-
how many servers? – tony roth Jun 13 '12 at 22:11
-
how about looking at the profile file ntuser.dat check the date on it. I think that may be the only way. – tony roth Jun 13 '12 at 22:16
-
@tonyroth users can still authenticate (shares/etc) without touching their ntuser.dat file. – Hyppy Jun 13 '12 at 22:17
-
yep if they are not loggin in locally you are correct. – tony roth Jun 13 '12 at 22:18
-
ah but those user will need to login locally somewhere right? – tony roth Jun 13 '12 at 22:18
2 Answers
2
There is no built-in mechanism to do this with local accounts.
If I wanted to do something like this without using AD, I would build some kind of script to check for the user popping up in the security event log in the last 90 days.
Hyppy
- 15,608
- 1
- 38
- 59
2
There is a powershell module in the technet repository for local user mgmt. I have not worked with it, but it appears to do what you need. It can be found here: http://gallery.technet.microsoft.com/scriptcenter/Local-Account-Management-a777191b.
This snippet might get you started:
get-localuser mypc\greg |select name,lastlogin
Name LastLogin
---- ---------
Greg 6/13/2012 6:35:56 PM
uSlackr
- 6,412
- 21
- 37