LinkBack URL
About LinkBacksHi,
I was wondering if anyone has a system to automatically disables old user accounts please? Also on a similar note does anyone use anything that will flag up unused computer accounts?
Thanks
Hi,
I was wondering if anyone has a system to automatically disables old user accounts please? Also on a similar note does anyone use anything that will flag up unused computer accounts?
Thanks
I did something about this on my blog a while ago. A nice bit of powershell, which you could set as a scheduled task for automation...
Your blogs are very handy, i should check through them all some time
Thanks
Try this ...
OldCmp
I've used that for long time.Originally Posted by tumbleweed
Just looked, is it this?I did something about this on my blog a while ago. A nice bit of powershell,
get-qadcomputer -IncludeAllProperties | Where-Object { $_.lastlogon -lt (get-date).AddDays(-90) }
Saying this feels a little pedantic, I've never used Quest so can't comment on what that does behind the scenes, and it's been ages since I looked at this area so I can't comment on what happens for Server 2008 functional level, but sometimes it's useful to know that...
A potential very occasional problem is that the AD attribute "lastLogon" does not replicate. For the most part it doesn't matter, but if that cmdlet only talks to one DC then in some circumstances the lastLogon can be misleading. Comps on site that start up every day might be a day or two out of date, because they logged on to a different DC today. The results for comps that aren't on the network very often can occasionally give a lastLogon that is months older than the value on another machine. If you want the very best result you need to query all DCs and pick the newest lastLogon for any given comp.
OldCmp use lastLogonTimstamp which does replicate so you can do this on just one DC, but that attribute doesn't get updated every time a comp logs on - it's a similar concept to the no-refresh interval for DNS scavenging for the same reasons i.e. to prevent replication traffic. But in principle, in the worst case a comp may have logged on up to two weeks more recently than the value in lastLogonTimestamp.
Last edited by PiqueABoo; 23rd January 2012 at 10:24 AM.
Ive been looking for something similar. I came across Solarwinds but havent tried it yet. Might be worth a look?
FREE AD Admin Tools
PiqueABoo (23rd January 2012)
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
