Can I disable an inactive user with GPO in Windows Server 2008

PCI DSS v1.2 demands that a user account is disabled after 90 days of being inactive:

"Remove/disable inactive user accounts at least every 90 days."

Is this possible to achive with a GPO in Windows Server 2008 Active Domain?
LVL 1
JofferAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

LisijCommented:
no, i dont think you can do it, quick google and checking couple of links there confirmed it.
have to run a script through the scheduler

Also, unless you are in the multinational corporation with thoughsands of users, i dont see why you would need a GPO, or even a scheduled task for that. Users dont fall off the face of the planet on the regular basis, without anyone noticing it. Catch up manually, and then make sure to disable user accounts as soon as they leave the company, permanently or for extended period of time.
0
JofferAuthor Commented:
I did multiple google search myself, and like yourself, did not find any good answers. Thats why I'm posting a question here :)

It's a requirement from PCI DSS to check every 90 days for inactive users for us to be compliant. And it is not a "check" to see if a user is still employed, but to check if he/she has logged in to the system in 90 days. If they haven't the account have to be disabled. (There are of course a requirement to disable/delete user account when someone quits the firm as well..)

It's not that this is a hard task to do manually, the PCI environment would probably not include more than 20 users or so, but this just adds more work/routines to follow manually which I would be very happy to do automatically in AD/GPO, or if thats not an option, like you say, use scheduled tasks with a script.

The only other post I've found on EE is this one:
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_23531987.html

0
Mike KlineCommented:
Not with a group policy but you can use a tool like old computer by MVP Joe Richards
http://www.joeware.net/freetools/tools/oldcmp/index.htm
You can use the -users switch for users.  Really great tool worth checking out.
Thanks
Mike
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Newly released Acronis True Image 2019

In announcing the release of the 15th Anniversary Edition of Acronis True Image 2019, the company revealed that its artificial intelligence-based anti-ransomware technology – stopped more than 200,000 ransomware attacks on 150,000 customers last year.

LisijCommented:
i am not sure if oldcomp can be scripted and put into scheduler, but it is a great tool

i would look into the few scripting sites for the script, unless someone here has one handy or can quickly write one.
0
Mike KlineCommented:
Well the guy that answered that link you posted is Brandon Shell and is one of the top powershell guys around so if you do use a scripted method that is not bad.
I always like to eyeball the oldcmp reports (we send them to our help desk to eyeball)
With 20-30 users you can quickly look to make sure there are no false positives.
Thanks
MIke
0
JofferAuthor Commented:
I will look into the oldcmp tool.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.