how do i create a group policy to diable inactive accounts after x number of days in an OU in AD

Dear experts

We want to use Active Directory Group Policy to automatically disable inactive accounts that reside in a particular OU after 60 days of inactivity.  Can this be achieved with GPMC ?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

bluntTonyHead of ICTCommented:
Hi there,
Can't be done natively with group policy but you could schedule a script to run daily on one of your DCs which will do the trick.
Oldcmp by MVP Joe Richards is a great utilitly for doing such a task:
To disbale all accounts that haven't logged on for 60 days, the syntax of the line you would need to use is:
oldcmp -users -llts 60 -disable
Now, this won't actually disable the accounts but it'll do a dry run. To make it real, use
oldcmp -users -llts 60 -disable -unsafe -forreal
You can also produce a html report of the accounts that would be affected (but not actually do anything):
oldcmp -users -llts 60 -report -sh
(Bear in mind you need to be running at a Windows 2003 domain functional level for the llts switch to work properly)

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
This is very easy if your domain functional level is Windows 2003 native...

dsquery user -inactive # | dsmod user -disabled yes

Replace # with the number of *WEEKS* the account has been inactive.

To disable computer accounts, use the exact same command, but substitute computer for user (twice).

This will not work in 2000 domains.  You will get an error if no accounts meet the criteria, but that is expected because there is no input to the dsmod command.

There are tons of other options for dsmod, I suggest dsmod /? to see what else you can do with it.
richardstuartpowellAuthor Commented:
thanks guys - perfect !
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.