Find redundant AD accounts

Printable View

18th March 2010, 09:26 AM
comedydave

Find redundant AD accounts

Hi Y'all.
I have recently inherited a lovely job from many of my predecessors, of clearing all the accounts out of AD.
We currently use a lovely piece of software called User Management Resource Administrator (UMRA), to manage the Rolling on and off of Student accounts. And my bosses want this extending to the Staff.
My first stage in the data cleansing is to remove all the reduntant accounts (this process being more urgent, as we are approaching UMRA's licence limit of 25000 AD objects).

What I want to do, is audit all accounts in AD and find ones which have not been used in over 12 months?
Is there a "Last Authenticated" attribute that I can use (UMRA can audit AD/LDAP attributes). My reason behind using last authenticated and not last logon, is that I don't want to accidentally delete service accounts, as over the years, I am sure there will be ones that have not been documented and thier removal will cause random systems to fall over.

Thanks in advance :cool:
19th March 2010, 10:34 AM
comedydave

*bump*
19th March 2010, 10:47 AM
plexer

Surely you will be able to see what is a service account and what is a user account from the name? true last login is all you will be able to do I think.

Ben
19th March 2010, 11:09 AM
markberry

A simple way to do it would be to open AD, right click on 'Saved Queries' and then New Query.

In the window which opens up give it a name and then click 'Define Query'. In the box which opens up click the box next to 'Days Since Last Logon:'. You have a choice of 30, 60, 90, 120 or 180 days.

I'm affraid it doesn't go to 12 months but surely someone not using an account in 6 months is probably a dormant account.

Click ok, then run the query.
19th March 2010, 11:17 AM
markberry

Just looking at this again, you could probably then export the query to an xml file, edit the xml so it looks at 360 days and then import it back in as a new query.
19th March 2010, 11:34 AM
DaveP

You could use DumpSec (Hyena Download Page) to produce a quickly produce a report of who logged on where and when.
19th March 2010, 07:05 PM
ranj

Quote:

Originally Posted by markberry

A simple way to do it would be to open AD, right click on 'Saved Queries' and then New Query.

In the window which opens up give it a name and then click 'Define Query'. In the box which opens up click the box next to 'Days Since Last Logon:'. You have a choice of 30, 60, 90, 120 or 180 days.

I'm affraid it doesn't go to 12 months but surely someone not using an account in 6 months is probably a dormant account.

Click ok, then run the query.

Can I use the new query to find dormant computer accounts.
19th March 2010, 07:11 PM
PiqueABoo

It is a lot easier to go get and then use oldcmp
22nd March 2010, 07:36 AM
IanT

I used a program to few weeks ago to check the last logins of users!! for the life of me cant remember what it was called!! but I managed to remove over 400 old user accounts!!!
22nd March 2010, 08:19 AM
bossman

@comedydave:

Could this be of any use to you:
Active Directory Last Logon Tool

This could be what IanT was talking about? :)
22nd March 2010, 08:47 AM
IanT

Quote:

Originally Posted by bossman

@comedydave:

Could this be of any use to you:
Active Directory Last Logon Tool

This could be what IanT was talking about? :)

Thats the one!!! :D
22nd March 2010, 11:19 AM
comedydave

Thanks Guys, will give that a try.

Dovestones tools are on my list to trial in the future I think, as we are finding UMRA quite expencive. It is very powerful tho!