Find redundant AD accounts

[comedydave]

Hi Y'all.
I have recently inherited a lovely job from many of my predecessors, of clearing all the accounts out of AD.
We currently use a lovely piece of software called User Management Resource Administrator (UMRA), to manage the Rolling on and off of Student accounts. And my bosses want this extending to the Staff.
My first stage in the data cleansing is to remove all the reduntant accounts (this process being more urgent, as we are approaching UMRA's licence limit of 25000 AD objects).

What I want to do, is audit all accounts in AD and find ones which have not been used in over 12 months?
Is there a "Last Authenticated" attribute that I can use (UMRA can audit AD/LDAP attributes). My reason behind using last authenticated and not last logon, is that I don't want to accidentally delete service accounts, as over the years, I am sure there will be ones that have not been documented and thier removal will cause random systems to fall over.

Thanks in advance

[comedydave]

*bump*

[plexer]

Surely you will be able to see what is a service account and what is a user account from the name? true last login is all you will be able to do I think.

Ben

[markberry]

A simple way to do it would be to open AD, right click on 'Saved Queries' and then New Query.

In the window which opens up give it a name and then click 'Define Query'. In the box which opens up click the box next to 'Days Since Last Logon:'. You have a choice of 30, 60, 90, 120 or 180 days.

I'm affraid it doesn't go to 12 months but surely someone not using an account in 6 months is probably a dormant account.

Click ok, then run the query.

[markberry]

Just looking at this again, you could probably then export the query to an xml file, edit the xml so it looks at 360 days and then import it back in as a new query.

[DaveP]

You could use DumpSec (Hyena Download Page) to produce a quickly produce a report of who logged on where and when.

[ranj]

A simple way to do it would be to open AD, right click on 'Saved Queries' and then New Query.

In the window which opens up give it a name and then click 'Define Query'. In the box which opens up click the box next to 'Days Since Last Logon:'. You have a choice of 30, 60, 90, 120 or 180 days.

I'm affraid it doesn't go to 12 months but surely someone not using an account in 6 months is probably a dormant account.

Click ok, then run the query.

Can I use the new query to find dormant computer accounts.

[PiqueABoo]

It is a lot easier to go get and then use oldcmp

[IanT]

I used a program to few weeks ago to check the last logins of users!! for the life of me cant remember what it was called!! but I managed to remove over 400 old user accounts!!!

[bossman]

@comedydave:

Could this be of any use to you:
Active Directory Last Logon Tool

This could be what IanT was talking about?

[IanT]

@comedydave:

Could this be of any use to you:
Active Directory Last Logon Tool

This could be what IanT was talking about?

Thats the one!!!

[comedydave]

Thanks Guys, will give that a try.

Dovestones tools are on my list to trial in the future I think, as we are finding UMRA quite expencive. It is very powerful tho!