[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

Can I disable an inactive user with GPO in Windows Server 2008

Posted on 2009-07-13
6
Medium Priority
?
2,874 Views
Last Modified: 2012-05-07
PCI DSS v1.2 demands that a user account is disabled after 90 days of being inactive:

"Remove/disable inactive user accounts at least every 90 days."

Is this possible to achive with a GPO in Windows Server 2008 Active Domain?
0
Comment
Question by:Joffer
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
6 Comments
 
LVL 3

Expert Comment

by:Lisij
ID: 24840105
no, i dont think you can do it, quick google and checking couple of links there confirmed it.
have to run a script through the scheduler

Also, unless you are in the multinational corporation with thoughsands of users, i dont see why you would need a GPO, or even a scheduled task for that. Users dont fall off the face of the planet on the regular basis, without anyone noticing it. Catch up manually, and then make sure to disable user accounts as soon as they leave the company, permanently or for extended period of time.
0
 
LVL 1

Author Comment

by:Joffer
ID: 24840212
I did multiple google search myself, and like yourself, did not find any good answers. Thats why I'm posting a question here :)

It's a requirement from PCI DSS to check every 90 days for inactive users for us to be compliant. And it is not a "check" to see if a user is still employed, but to check if he/she has logged in to the system in 90 days. If they haven't the account have to be disabled. (There are of course a requirement to disable/delete user account when someone quits the firm as well..)

It's not that this is a hard task to do manually, the PCI environment would probably not include more than 20 users or so, but this just adds more work/routines to follow manually which I would be very happy to do automatically in AD/GPO, or if thats not an option, like you say, use scheduled tasks with a script.

The only other post I've found on EE is this one:
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_23531987.html

0
 
LVL 57

Accepted Solution

by:
Mike Kline earned 1000 total points
ID: 24840218
Not with a group policy but you can use a tool like old computer by MVP Joe Richards
http://www.joeware.net/freetools/tools/oldcmp/index.htm
You can use the -users switch for users.  Really great tool worth checking out.
Thanks
Mike
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 3

Expert Comment

by:Lisij
ID: 24840304
i am not sure if oldcomp can be scripted and put into scheduler, but it is a great tool

i would look into the few scripting sites for the script, unless someone here has one handy or can quickly write one.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 24840477
Well the guy that answered that link you posted is Brandon Shell and is one of the top powershell guys around so if you do use a scripted method that is not bad.
I always like to eyeball the oldcmp reports (we send them to our help desk to eyeball)
With 20-30 users you can quickly look to make sure there are no false positives.
Thanks
MIke
0
 
LVL 1

Author Closing Comment

by:Joffer
ID: 31602837
I will look into the oldcmp tool.
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Suggested Courses

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question