Solved

Can I disable an inactive user with GPO in Windows Server 2008

Posted on 2009-07-13
6
2,417 Views
Last Modified: 2012-05-07
PCI DSS v1.2 demands that a user account is disabled after 90 days of being inactive:

"Remove/disable inactive user accounts at least every 90 days."

Is this possible to achive with a GPO in Windows Server 2008 Active Domain?
0
Comment
Question by:Joffer
  • 2
  • 2
  • 2
6 Comments
 
LVL 3

Expert Comment

by:Lisij
ID: 24840105
no, i dont think you can do it, quick google and checking couple of links there confirmed it.
have to run a script through the scheduler

Also, unless you are in the multinational corporation with thoughsands of users, i dont see why you would need a GPO, or even a scheduled task for that. Users dont fall off the face of the planet on the regular basis, without anyone noticing it. Catch up manually, and then make sure to disable user accounts as soon as they leave the company, permanently or for extended period of time.
0
 
LVL 1

Author Comment

by:Joffer
ID: 24840212
I did multiple google search myself, and like yourself, did not find any good answers. Thats why I'm posting a question here :)

It's a requirement from PCI DSS to check every 90 days for inactive users for us to be compliant. And it is not a "check" to see if a user is still employed, but to check if he/she has logged in to the system in 90 days. If they haven't the account have to be disabled. (There are of course a requirement to disable/delete user account when someone quits the firm as well..)

It's not that this is a hard task to do manually, the PCI environment would probably not include more than 20 users or so, but this just adds more work/routines to follow manually which I would be very happy to do automatically in AD/GPO, or if thats not an option, like you say, use scheduled tasks with a script.

The only other post I've found on EE is this one:
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_23531987.html

0
 
LVL 57

Accepted Solution

by:
Mike Kline earned 250 total points
ID: 24840218
Not with a group policy but you can use a tool like old computer by MVP Joe Richards
http://www.joeware.net/freetools/tools/oldcmp/index.htm
You can use the -users switch for users.  Really great tool worth checking out.
Thanks
Mike
0
 
LVL 3

Expert Comment

by:Lisij
ID: 24840304
i am not sure if oldcomp can be scripted and put into scheduler, but it is a great tool

i would look into the few scripting sites for the script, unless someone here has one handy or can quickly write one.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 24840477
Well the guy that answered that link you posted is Brandon Shell and is one of the top powershell guys around so if you do use a scripted method that is not bad.
I always like to eyeball the oldcmp reports (we send them to our help desk to eyeball)
With 20-30 users you can quickly look to make sure there are no false positives.
Thanks
MIke
0
 
LVL 1

Author Closing Comment

by:Joffer
ID: 31602837
I will look into the oldcmp tool.
0

Join & Write a Comment

A safe way to clean winsxs folder from your windows server 2008 R2 editions
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now