Can I disable an inactive user with GPO in Windows Server 2008

PCI DSS v1.2 demands that a user account is disabled after 90 days of being inactive:

"Remove/disable inactive user accounts at least every 90 days."

Is this possible to achive with a GPO in Windows Server 2008 Active Domain?
Who is Participating?
Mike KlineConnect With a Mentor Commented:
Not with a group policy but you can use a tool like old computer by MVP Joe Richards
You can use the -users switch for users.  Really great tool worth checking out.
no, i dont think you can do it, quick google and checking couple of links there confirmed it.
have to run a script through the scheduler

Also, unless you are in the multinational corporation with thoughsands of users, i dont see why you would need a GPO, or even a scheduled task for that. Users dont fall off the face of the planet on the regular basis, without anyone noticing it. Catch up manually, and then make sure to disable user accounts as soon as they leave the company, permanently or for extended period of time.
JofferAuthor Commented:
I did multiple google search myself, and like yourself, did not find any good answers. Thats why I'm posting a question here :)

It's a requirement from PCI DSS to check every 90 days for inactive users for us to be compliant. And it is not a "check" to see if a user is still employed, but to check if he/she has logged in to the system in 90 days. If they haven't the account have to be disabled. (There are of course a requirement to disable/delete user account when someone quits the firm as well..)

It's not that this is a hard task to do manually, the PCI environment would probably not include more than 20 users or so, but this just adds more work/routines to follow manually which I would be very happy to do automatically in AD/GPO, or if thats not an option, like you say, use scheduled tasks with a script.

The only other post I've found on EE is this one:

Easily Design & Build Your Next Website

Squarespace’s all-in-one platform gives you everything you need to express yourself creatively online, whether it is with a domain, website, or online store. Get started with your free trial today, and when ready, take 10% off your first purchase with offer code 'EXPERTS'.

i am not sure if oldcomp can be scripted and put into scheduler, but it is a great tool

i would look into the few scripting sites for the script, unless someone here has one handy or can quickly write one.
Mike KlineCommented:
Well the guy that answered that link you posted is Brandon Shell and is one of the top powershell guys around so if you do use a scripted method that is not bad.
I always like to eyeball the oldcmp reports (we send them to our help desk to eyeball)
With 20-30 users you can quickly look to make sure there are no false positives.
JofferAuthor Commented:
I will look into the oldcmp tool.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.