2

I'm trying to weed out inactive accounts, and have discovered that the majority of accounts have been inactive since before our domain functional level was raised to 2003. The lastLogonTimestamp attribute is <Not Set> on all of these accounts, and DSQuery User -inactive # will not return them.

How can I find these inactive accounts?

If I retrieve a list of accounts with the lastLogonTimestamp <Not Set>, will the list be a reliable indicator of a dead account?

rtf
  • 884
  • 2
  • 17
  • 31

2 Answers2

3

This is from my phone, so forgive me if there are slight syntax errors:

get-aduser -Filter lastlogontimestamp -eq $null -properties lastlogontimestamp

Should kick back what you're looking for. Having a null value for LastLogonTimestamp means that the account has not logged on since the DFL was raised, so this is a reliable way to search for them, as you seem to have already figured out.

You should also e able to use the Saved Queries feature of ADUC to search for this, though I'm not sure the exact syntax that you'd need to search for a null attribute - I much prefer PowerShell.

MDMarra
  • 100,734
  • 32
  • 197
  • 329
  • 1
    LDAP query is `(&(&(objectClass=user)(objectCategory=person)(!lastlogontimestamp=*)))`. No PowerShell on this 2003 DC and I didn't want to reboot it. Thanks for pointing me in the right direction. – rtf Jan 24 '13 at 00:13
1

OldCmp works off the lastLogonTimeStamp but can also work off of pwdLastSet, so if you have users that haven't set their password in forever (and assuming you require password changes), that might work (edit) to validate your query or the one that MDMarra is recommending.

TheCleaner
  • 32,627
  • 26
  • 132
  • 191
  • Unfortunately pwdLastSet will probably be the same as createTimeStamp on my domain. Like the idea though; worth comparing against the other query. – rtf Jan 24 '13 at 00:13