Solved

Can I disable an inactive user with GPO in Windows Server 2008

Posted on 2009-07-13
6
2,434 Views
Last Modified: 2012-05-07
PCI DSS v1.2 demands that a user account is disabled after 90 days of being inactive:

"Remove/disable inactive user accounts at least every 90 days."

Is this possible to achive with a GPO in Windows Server 2008 Active Domain?
0
Comment
Question by:Joffer
  • 2
  • 2
  • 2
6 Comments
 
LVL 3

Expert Comment

by:Lisij
ID: 24840105
no, i dont think you can do it, quick google and checking couple of links there confirmed it.
have to run a script through the scheduler

Also, unless you are in the multinational corporation with thoughsands of users, i dont see why you would need a GPO, or even a scheduled task for that. Users dont fall off the face of the planet on the regular basis, without anyone noticing it. Catch up manually, and then make sure to disable user accounts as soon as they leave the company, permanently or for extended period of time.
0
 
LVL 1

Author Comment

by:Joffer
ID: 24840212
I did multiple google search myself, and like yourself, did not find any good answers. Thats why I'm posting a question here :)

It's a requirement from PCI DSS to check every 90 days for inactive users for us to be compliant. And it is not a "check" to see if a user is still employed, but to check if he/she has logged in to the system in 90 days. If they haven't the account have to be disabled. (There are of course a requirement to disable/delete user account when someone quits the firm as well..)

It's not that this is a hard task to do manually, the PCI environment would probably not include more than 20 users or so, but this just adds more work/routines to follow manually which I would be very happy to do automatically in AD/GPO, or if thats not an option, like you say, use scheduled tasks with a script.

The only other post I've found on EE is this one:
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_23531987.html

0
 
LVL 57

Accepted Solution

by:
Mike Kline earned 250 total points
ID: 24840218
Not with a group policy but you can use a tool like old computer by MVP Joe Richards
http://www.joeware.net/freetools/tools/oldcmp/index.htm
You can use the -users switch for users.  Really great tool worth checking out.
Thanks
Mike
0
[Webinar] Disaster Recovery and Cloud Management

Learn from Unigma and CloudBerry industry veterans which providers are best for certain use cases and how to lower cloud costs, how to grow your Managed Services practice in IaaS clouds, and how to utilize public cloud for Disaster Recovery

 
LVL 3

Expert Comment

by:Lisij
ID: 24840304
i am not sure if oldcomp can be scripted and put into scheduler, but it is a great tool

i would look into the few scripting sites for the script, unless someone here has one handy or can quickly write one.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 24840477
Well the guy that answered that link you posted is Brandon Shell and is one of the top powershell guys around so if you do use a scripted method that is not bad.
I always like to eyeball the oldcmp reports (we send them to our help desk to eyeball)
With 20-30 users you can quickly look to make sure there are no false positives.
Thanks
MIke
0
 
LVL 1

Author Closing Comment

by:Joffer
ID: 31602837
I will look into the oldcmp tool.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Resolve DNS query failed errors for Exchange
This script can help you clean up your user profile database by comparing profiles to Active Directory users in a particular OU, and removing the profiles that don't match.
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now