[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 481
  • Last Modified:

script to find inactive user accounts

I have a script that woks really well for finding inactive Computer Accounts and now I am trying to make it do the same thing but for User Accounts. We have a Windows 2003 domain with about 15 sites and 15 DC's.

The script for the Computer Accounts goes like this

_________________________________________________

On Error Resume Next

DomainString=Inputbox("Enter the domain name","Check Active Computers","DomainName")

if DomainString="" then
wscript.echo "No domain specified or script cancelled."
wscript.quit
end if

numDays=InputBox("What is the number of days to use as a cutoff for" & "Active Computer Accounts?","Check Active Computers","XX")

if numDays="" then
wscript.echo "No cutoff date specified or script cancelled."
wscript.quit
end if

Set DomainObj = GetObject("WinNT://"&DomainString)

if err.number<>0 then
wscript.echo "Error connecting to " & DomainString
wscript.quit
end if

DomainObj.Filter = Array("computer")
Wscript.echo "Computer Accounts in " & DomainString & " older than " & numDays & " days."
For each Computer in DomainObj
Set Account = GetObject("WinNT://" & DomainString & "/" & Computer.Name & "$")
RefreshTime = FormatNumber((Account.get("PasswordAge"))/86400,0)
If CInt(RefreshTime) >= CInt(numDays) Then
wscript.echo "**DELETE** " & Computer.Name & " Password Age is " & RefreshTime & " days."
End If
Next

set DomainObj=Nothing
set Shell=Nothing
Wscript.quit

__________________________________________________________________

How would I change it to find User Accounts?

Important! - I do not want the script to actually delete or disable anybody, I just want it to echo the usernames to the screen.


Thanks
0
shard26
Asked:
shard26
  • 4
  • 3
1 Solution
 
Chris DentPowerShell DeveloperCommented:

This version echos things to a file called LastLogon.txt. It can be changed to echo to the screen quite easily though if you're still prefer that - the file was just always a little more convenient.

It'll take a little while to run, it has to check the LastLogon attribute on each of the 15 Domain Controllers for each user; unfortunately the value isn't replicated in AD.

' GetLastLogon.vbs
'
' Author: Chris Dent
' Created: 04/05/2005
' Modified: 01/03/2006

Option Explicit

' Global Constants

Const FILE_NAME = "LastLogon.txt"
Const INACTIVE_PERIOD = 30 ' In Days

' Global Variable Declaration

Dim objRootDSE, objUsers, objDomainControllers, objDomainController, objFileSystem, objFile
Dim strEntry
 
'
' Subroutines
'

Sub GetLastLogon(objDomainController)

      ' Retrieves the Last Logon Time from a DC

      Dim objItems, objItem, objTemp
      Dim datLastLogon
      Dim strDCName, strLogonName

      strDCName = Mid(objDomainController.Name, 4, Len(objDomainController.Name))

      Set objItems = GetObject("WinNT://" & strDCName)
      objItems.Filter = Array("user")
      For Each objItem In objItems
            
            On Error Resume Next
            strLogonName = ""
            strLogonName = objItem.Name
            datLastLogon = ""
            datLastLogon = CDate(objItem.LastLogin)
            On Error Goto 0

            If datLastLogon <> "" Then
                  If objUsers.Exists(strLogonName) Then
                        If datLastLogon > objUsers(strLogonName) Then
                              objUsers(strLogonName) = datLastLogon
                        End If
                  Else
                        objUsers.Add strLogonName, datLastLogon
                  End If
            End If
            Set objItem = Nothing
      Next
      Set objItems = Nothing
End Sub

'
' Main Code
'

Set objRootDSE = GetObject("LDAP://rootDSE")

Set objUsers = CreateObject("Scripting.Dictionary")

' Get the DC List

Set objDomainControllers = GetObject("LDAP://ou=domain controllers," &_
      objRootDSE.Get("defaultNamingContext"))
objDomainControllers.Filter = Array("computer")

For Each objDomainController in objDomainControllers
      GetLastLogon objDomainController
Next

Set objDomainControllers = Nothing
Set objRootDSE = Nothing

' Reporting

Set objFileSystem = CreateObject("Scripting.FileSystemObject")
Set objFile = objFileSystem.CreateTextFile(FILE_NAME, True, False)

objFile.WriteLine "Users that have not logged on in the last " & INACTIVE_PERIOD & " days"
objFile.WriteLine ""
objFile.WriteLine "Given Name" & VbTab & "Logon Name" & VbTab & "Last Logon Time"
objFile.WriteLine ""
For Each strEntry In objUsers
      If (objUsers(strEntry) < (Date() - INACTIVE_PERIOD)) Then
            objFile.WriteLine strEntry & VbTab & objUsers(strEntry)
      End If
Next

objFile.Close
Set objFileSystem = Nothing

Set objUsers = Nothing
0
 
shard26Author Commented:
So there's no way to just edit the original script to look for users instead of computers?

I just figured it would be just filling in these blanks:

DomainObj.Filter = Array("user")
Wscript.echo "User Accounts in " & DomainString & " older than " & numDays & " days."
For each Computer in DomainObj
Set Account = GetObject("WinNT://" & DomainString & "/" & ___________ & "$")
RefreshTime = FormatNumber((Account.get("PasswordAge"))/86400,0)
If CInt(RefreshTime) >= CInt(numDays) Then
wscript.echo "**DELETE** " & ___________  & " Password Age is " & RefreshTime & " days."
End If
Next
0
 
Chris DentPowerShell DeveloperCommented:

It might work, that value at least should be replicated. Of course it's no good if you don't set passwords to expire within the domain.

You could try:

DomainObj.Filter = Array("user")
Wscript.echo "User Accounts in " & DomainString & " older than " & numDays & " days."

For each User in DomainObj
      Set Account = GetObject("WinNT://" & DomainString & "/" & User.Name & ", user")
      RefreshTime = FormatNumber((Account.get("PasswordAge"))/86400,0)
      If CInt(RefreshTime) >= CInt(numDays) Then
            wscript.echo "**DELETE** " & User.Name & " Password Age is " & RefreshTime & " days."
      End If
Next
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
shard26Author Commented:
So if i do not set passwords to expire, then the script will not work?




0
 
shard26Author Commented:
I ran it the way you had written and it echo's every single user in the domain.
0
 
Chris DentPowerShell DeveloperCommented:

If passwords don't expire then the password age is a useless attribute as far as determining account inactivity goes. For that you would be far better served by the original script that pulls the last logon time - the obvious disadvantage of that is that it has to go off and check every single DC for each user.

Chris
0
 
shard26Author Commented:
ok, I will try yours today.  Thanks
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now