Solved

Diabling and moving stale accounts in Active Directory

Posted on 2009-05-17
44
1,701 Views
Last Modified: 2012-05-07
Seeing several posting of using oldcmp.exe and i have this tool now, but seeing that is an intricate tool that can possibly do some damage, i want to avoid that. Im looking for the correct command line syntax to pull from a named OU not from the entire domain outdated accounts >90 days, disabled them and move them to a specificied OU.  
0
Comment
Question by:cgooden01
  • 23
  • 14
  • 4
  • +2
44 Comments
 
LVL 4

Expert Comment

by:barryhiggins3
Comment Utility
Hi,

The tool you are after is called dsquery

The command line syntax is as follows

dsquery user OU=Users,OU=Test,DC=Domainname,DC=com -inacive 4

For the O.U.
in
-domainname.com
--Test
---Users

This will give you all accounts that have been inactive for 4 weeks, the default limit on the number of users returned is 100

You can modify the number returned by using the -limit command as follows

dsquery user OU=Users,OU=Test,DC=Domainname,DC=com -inacive 4 -limit 0

will will return all, or you you can specify a specific number.

Thanks.
0
 
LVL 8

Expert Comment

by:Timoros
Comment Utility
0
 

Author Comment

by:cgooden01
Comment Utility
Yes, i already have the syntax for dsquery  dsquery computer OU=xxI,OU=xx,DC=xxi,DC=xxDC=xx,DC=xx -inactive 6 -limit 0 >computeraccounts.txt  then i have it piped to a txt file.  But sometimes dsquery is inaccurate and alot of syst admins i have been told use oldcmp.exe for greater accuracy.  
0
 
LVL 4

Expert Comment

by:barryhiggins3
Comment Utility
I dont think DSQuery is inaccurate,

Yes it will also give you the disabled accounts in your domain but you can easily filter these buy running the query again with the -disabled switch to output the the info with only the disable accounts then compare the results using excel etc
0
 

Author Comment

by:cgooden01
Comment Utility
OKay...ill compare the 2 for accuracy.  I am having one problem when trying to move my disabled accounts.  Keeps erroring out..this is the syntax im using.. Is there an error or something im missing.....

dsquery user OU=xx,OU=xx,DC=xxDC=xx,DC=xx,DC=xx-inactive 12 -limit 0 | dsmove -newparent OU=DisabledUserAccount
0
 
LVL 27

Expert Comment

by:bluntTony
Comment Utility
oldcmp is fine - it does exactly what you described. The syntax would be:

oldcmp -users -b "OU=yourusers,DC=domain,DC=local" -llts -report -sh

This command will simply show you a report of those users who haven't logged on in 90 days. Bear in mind the you can only use -llts if you've raised your domain functional level to Windows Server 2003. Neither will dsquery work with the 'inactive' switch if you haven't'. If not, do not add this switch, and it will look for those users with passwords older then 90 days...

oldcmp -users -b "OU=yourusers,DC=domain,DC=local" -report -sh

When you're happy with this, you can go ahead and move/disable the accounts:

oldcmp -users -b "OU=yourusers,DC=domain,DC=local" -disable -move -newparent "OU=oldusers,DC=domain,DC=local"

oldcmp is a much more comprehensive tool for this purpose, and both tools can do damage if used incorrectly.

Note - even with your domain raised to the right level, all users will show up as 'inactive' until they've logged in and populated the lastlogonTimeStamp attribute after raising the level - this might account for the inaccuracies you described.

 


0
 

Author Comment

by:cgooden01
Comment Utility
Im running this but its not moving any of the accounts that were disabled....????
0
 
LVL 27

Expert Comment

by:bluntTony
Comment Utility
If you're referring to your last post, you need to add the full DN of the new OU, i.e. "OU=DisabledUserAccount,DC=domain,DC=local"
0
 

Author Comment

by:cgooden01
Comment Utility
Keep getting this eror, but on different names sometime each time its ran..????

C:\>dsquery user OU=xx,OU=xx,DC=xx,DC=x,DC=xx,DC=xx -inactive 12 -l
imit 0 | dsmove -newparent OU=DisabledUserAccount,OU=xx,OU=xx,DC=xx,DC=
xx,DC=xx,DC=xx
dsmove failed:`CN=Doe\, Joe,OU=Users,OU=xx,OU=xx, OU
=xx,DC=xx,DC=xx,DC=xx,DC=xx' is an unknown parameter.
type dsmove /? for help.
C:\>

0
 
LVL 27

Expert Comment

by:bluntTony
Comment Utility
I think this is an error is DSMOVE - it can error when piping multiple DNs into it. You could batch script the command to pass a DN in at a time.

Have a look at a previously answered q : http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Q_22775895.html

I'd use oldcmp though. It's simpler.
0
 

Author Comment

by:cgooden01
Comment Utility
Yeah i already tried that command but still received all errors in moving the stale disabled accounts...??? Guess i will have to result to using this via oldcmp.  

For oldcmp. what is the correct syntax to move my disabled accounts.  Well first ill see if i can get a report, turned up nothing when i tried earlier, but i have over 200 stale accounts.  
0
 

Author Comment

by:cgooden01
Comment Utility
I see it listed above, but not working correctly and nothing is being moved.....
0
 
LVL 27

Expert Comment

by:bluntTony
Comment Utility
The syntax would be:

oldcmp -users -b "OU=users,DC=domain,DC=local" -onlydisabled -move -newparent "OU=newou,DC=domain,DC=local"

This should find all disabled users who have not changed their password in 90 days, and move them to 'newou'. To show a report is would be:

oldcmp -users -b "OU=users,DC=domain,DC=local" -onlydisabled -report -sh
0
 
LVL 27

Expert Comment

by:bluntTony
Comment Utility
What's the exact command you're using?
0
 

Author Comment

by:cgooden01
Comment Utility
I get this error when running oldcmp syntax.  Although the report showed up just fine....

ldap_get_next_page_s: [1111122222222.xx.xx.xxxx.xxx] Error 0xa (10) - Referral

[sensitive information removed/edited by LadyModiva, Community Support Moderator]
0
 

Author Comment

by:cgooden01
Comment Utility
Im having no problem pulling a report of all disabled users, just will not move this account using oldcmp as well, some security setting my be preventing this from my DC...wouldnt know why..  This is the syntax im using:

oldcmp -users -b "OU=xx,OU=xx,DC=xxDC=xx,DC=xx,DC=xx"-disable -move -newparent "OU=DisabledUserAccounts,OU=xx,OU=xx,DC=xx,DC=xx,DC=xx,DC=xx"
0
 
LVL 27

Expert Comment

by:bluntTony
Comment Utility
Stupid question - the new OU does exist right? oldcmp won't create it.

If it does exist, then do you have the rights to add users to it?

Also, don't cut and paste into the cmd line - the characters look the same in the cmd window but sometimes are not interpreted the same by the app.
0
 
LVL 57

Expert Comment

by:Mike Kline
Comment Utility
oldcmp -users -b "OU=xx,OU=xx,DC=xxDC=xx,DC=xx,DC=xx"-disable -move -newparent "OU=DisabledUserAccounts,OU=xx,OU=xx,DC=xx,DC=xx,DC=xx,DC=xx"
You can't use two actions at once in your case -disable and -move
you should be getting an error there...something like "ERROR: Only one action can be specified"
take a look at Tony's comment in comment #24406327  that should move them for you.
Thanks
Mike
0
 

Author Comment

by:cgooden01
Comment Utility
Yes, the OU already exists...and okay, ill try just typing it in the command line to see if that clears up the errors.  Thanks..Ill let you know if that works...

Okay, I tried that....and i get this error

ERROR: Only one action can be specified.

Type oldcmp /help or oldcmp /? for usage assistance.
My syntax is...

oldcmp -users -b "OU=xx,OU=xx,DC=xx,DC=xx,DC=xx,DC=xx" -disable -move -newparent "OU=DisabledUserAccounts,OU=xx,OU=xx,DC=xx,DC=xx,DC=xx,DC=xx"
0
 

Author Comment

by:cgooden01
Comment Utility
okay..ill try his way...
0
 
LVL 27

Expert Comment

by:bluntTony
Comment Utility
I'm afraid I missed that. Sorry. I think I'm guilty of putting the two commands together myself. Didn't have a test server to hand so couldn't run it myself.

Thanks for spotting that Mike.
0
 

Author Comment

by:cgooden01
Comment Utility
Tried that too..but not one moved over....im at a lost now..

Total Updates         : 582
Updates Ok            : 0
Updates Error         : 0
Updates Skipped       : 10
Updates Safety Skipped: 572

Command completed successfully
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 57

Accepted Solution

by:
Mike Kline earned 250 total points
Comment Utility
ok add -unsafe and -forreal at the end of your command
Let us know how that works.
No problem Tony, we back each other up on here :)
Thanks
Mike
0
 

Author Comment

by:cgooden01
Comment Utility
Tried that..only moved about 8 of 257...stating that in the command line...
 [Not For Real]

I see you all are tag teaming this, really appreciate your assistance...any other ideas on this one...
0
 

Author Comment

by:cgooden01
Comment Utility
I noticed that the only reason it moved these account was because in AD under the additional account information, that last logon is set to No Value Set
0
 

Author Comment

by:cgooden01
Comment Utility
Thinking now, i should go with a vbscript or batch file of some sort...old cmp syntax resolve seems to be based on last logon on stamp..but then again, I have several accounts over 100 that has 2006 timestamp values....???
0
 

Author Comment

by:cgooden01
Comment Utility
I have so many disabled accounts under different OU's under my tree...scattered about, just need to collect any and all accounts that are disabled and move them into one container.  Any more suggestions on this.....Appreciate your help on this...both of you
0
 
LVL 27

Expert Comment

by:bluntTony
Comment Utility
Are you using the -llts switch? If so, it will look at lastLogonTimeStamp (like I said, this is only useful if you raised the Domain Functional level quite a while ago).
If you're not using this switch, then the default filter is pwdLastSet older than 90 days, not the last logon timestamp.
Try this - generate a report, then copy the 'Search filter' text. Go to ADUC, then 'Find Objects in Active Directory'. In the dialogue box, set the 'Find' drop down box to 'Custom Search', click the advanced tab, then paste the text into the field. Select your OU from the drop down in the top right, and click 'Find Now'
Are the results the same as the report in oldcmp? They should be exactly the same.
When you say that you are expecting around 200 accounts to be moved, on what basis are you making this estimation? Could you post the exact command you are using?
0
 
LVL 27

Expert Comment

by:bluntTony
Comment Utility
Using the disabled switch doesn't just get ALL disabled accounts, it further filters the result to only get disabled accounts that also haven't changed their password for >90 days. Would this account for why it's returning different results?
0
 

Author Comment

by:cgooden01
Comment Utility
Yes, that is what is accounting for the different results, for alot of my users, they dont have to change their passwords like most AD users on the account, they change their pass word only on their CAC Credentials embedded into their ID cards, so most of my users will not show that information, data will be no value set for the most part.  

And yes, i was using the -llts swtich
0
 

Author Comment

by:cgooden01
Comment Utility
Keeping digging down this issue and as you stated in 24406669 comments, i have many accounts that have not changed their passwords since 2008 and its still not pulling them...???????
0
 
LVL 27

Expert Comment

by:bluntTony
Comment Utility
Because if you're using -llts it not looking at the password age, it's looking at the last logon timestamp - two seperate properties. Could you post exactly what you want to retrieve, and the command you are using? I'm starting to get confused :0)
We'll tell you if it's doing what you think it is.
0
 

Author Comment

by:cgooden01
Comment Utility
Exactly what im doing is this:  

1.  Attempting to collect all accounts that are greater than 90 days to be disabled
2.  From that collection of stale user accounts, move them to a OU, marked disablesuseraccounts

this is my command lines that im using..

oldcmp -users -b "OU=xx,OU=xx,DC=xx,DC=xx,DC=xx,DC=xx" -onlydisabled -move -newparent "OU=DisabledUserAccounts,OU=xx,OU=xx,DC=mi,DC=xx,DC=xx,DC=xx" -unsafe

oldcmp -users -b "OU=xx,OU=xx,DC=xx,DC=xx,DC=xx,DC=xx" -onlydisabled -move -newparent "OU=DisabledUserAccounts,OU=xx,OU=xx,DC=mi,DC=xx,DC=xx,DC=xx" -xx - forreal

oldcmp -users -b "OU=xx,OU=xx,DC=xx,DC=xx,DC=xx,DC=xx"" -llts -report -sh
oldcmp -users -b "OU=xx,OU=xx,DC=xx,DC=xx,DC=xx,DC=xx"" -onlydisabled -report -sh
0
 
LVL 27

Expert Comment

by:bluntTony
Comment Utility
What is greater than 90 days? Password age, or last logon timestamp?
0
 

Author Comment

by:cgooden01
Comment Utility
Looking for accounts that have not logon 90 days or greater, the reports pulls up just fine in oldcmp.exe and dsquery, just when i go to move them, they all dont get moved over.  
0
 

Author Comment

by:cgooden01
Comment Utility
after looking at the report..its pulling lastLogonTimestamp and pwdLastSet and these accounts are still not getting moved over, although they are all disabled..
0
 

Author Comment

by:cgooden01
Comment Utility
Fellas, my shift is over, been here for 13 hours now..guess ill try it again on tomorrow....whatever you can come up with to close this would be much appreciated, Ill see can i develop a script in the meantime, but will still distribute the points regardless. Efforts duly noted.  
0
 
LVL 27

Expert Comment

by:bluntTony
Comment Utility
You need to use -unsafe and -forreal together.The command you want is:

oldcmp -users -llts -b "OU=xx,DC=xx,DC=xx" -disable -newparent "OU=DisableUserAccounts,DC=xx,DC=xx" -unsafe -forreal
This will find all users who haven't logged on for 90 days, disable them, and move them to the new OU specified. I have now tested this myself and it does work as expected. If you want to generate a report first, use:
oldcmp -users -llts -b "OU=xx,DC=xx,DC=xx" -report -sh
 You can move and disable the accounts in the one command, you just drop the -move switch.
If you have trouble with this I'll look at it tomorrow as I am off now. Hope this helps...
0
 
LVL 57

Expert Comment

by:Mike Kline
Comment Utility
Yeah so in order you do this
  • 1.  First run the report --see if thsoe are the accounts you want to disable
  • 2.  Then you can acrually disable them
  • 3.  Then you can move them
So 3 commands
Tony quick note, in your last comment for the disable he can take out the newparent
0
 

Author Comment

by:cgooden01
Comment Utility
OKay.. will run that, but before i do. I have one OU set aside for a migration so their accounts are disabled.  Is there a way i can exclude this from the move. This will be vital before running this command. Or I will have to disabled them move them somewhere else then, move them back.  Suggestion/Comments.
0
 
LVL 27

Assisted Solution

by:bluntTony
bluntTony earned 250 total points
Comment Utility
Mike - I think you can actually disable and move them with one command. As long as you drop the -move switch, you can disable and move the users in one go. It's a little confusing as it says you can't use -move and -disable at the same time, but you can move the objects with the -newparent switch along with -disable.

I tested this and it seemed to work OK for me.

To exclude certain objects, use the -excldn switch. Pass in a unique string that is part of the DN of the objects that you want to exclude, e.g.

oldcmp -users -llts -b "OU=xx,DC=xx,DC=xx" -disable -newparent "OU=DisableUserAccounts,DC=xx,DC=xx" -excldn "OU=MigrationAccounts" -unsafe -forreal

You don't need to enter the entire DN of the OU, just a string which can uniquely identify the objects you want to exclude. To be sure you can enter the entire DN of the OU if you wish.

0
 
LVL 57

Expert Comment

by:Mike Kline
Comment Utility
ok that makes sense Tony,  I'll also test it today
Thanks
Mike
0
 

Author Comment

by:cgooden01
Comment Utility
That worked liked a charm.  Thanks Fellow....Will distribute the points accordingly, now that was some persistence, i have to say.  Thanks alot.  
0
 
LVL 27

Expert Comment

by:bluntTony
Comment Utility
Got there in the end! Glad you got it sorted.
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

[b]Ok so now I will show you how to add a user name to the description at login. [/b] First connect to your DC (Domain Controller / Active Directory Server) SET PERMISSIONS FOR SCRIPT TO UPDATE COMPUTER DESCRIPTION TO USERNAME 1. Open Active …
Learn about cloud computing and its benefits for small business owners.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now