Automatic Disable and Delete of User Accounts

Hey there,
Is there a way I can use a GPO to disable accounts that haven't logged on for 30 days, and then delete the account after 60?

I am using Windows Server 2003 domain controllers.  3 overall DCs.

Thanks,
LVL 1
jsctechyAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

bswinnertonCommented:
Unfortunately, no. Group Policy does not support the disabling of accounts.

What you'll need to do is create a script and make it a scheduled task. You'll want to look into both DSQUERY and DSGET.

The following script courtesy of: http://www.windowsitpro.com/article/tips/jsi-tip-7357-how-can-i-report-all-disabled-user-accounts-and-optionally-delete-them-.aspx outputs them to a txt file:

@echo off
if not {%1}{} if /i {%1} NEQ {/D} @echo syntax: Disabled /D&goto :EOF
setlocal
set delete=N
if not {%1}{} set delete=%1
if exist Disabled.txt del /q disabled.txt
for /f "Tokens=*" %%u in ('dsquery user -disabled') do set UDN=%%u&call :disa
endlocal
goto :EOF
:disa
set LN=
for /f "Skip=1 Tokens=*" %%i in ('dsget user %UDN% -ln') do if /i "%%i" NEQ "dsget succeeded" set LN=%%i#
set LN=%LN:  #=%
set LN=%LN: #=%
set LN=%LN:#=%
if {%LN%} EQU {} goto :EOF
if /i "%delete%" NEQ "/D" goto report
call :del>nul 2>&1
if %ERRORLEVEL% EQU 0 goto report
@echo %UDN% failed to delete.>>Disabled.txt
goto :EOF
:report
@echo %UDN%>>Disabled.txt
goto :EOF
:del
dsrm %UDN% -noprompt
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
corneliu_newsCommented:
Yes you can create a script that will do that.

For example a VB Script:
Set objUser = GetObject("LDAP://cn=Ken Myer, ou=Finance, dc=fabrikam,
dc=com")
Set objLastLogon = objUser.Get("lastLogonTimestamp")
intLastLogonTime = objLastLogon.HighPart * (2^32) + objLastLogon.LowPart
intLastLogonTime = intLastLogonTime / (60 * 10000000)
intLastLogonTime = intLastLogonTime / 1440
Wscript.Echo "Last logon time: " & intLastLogonTime + #1/1/1601#

You can combine this with script from bellow link and it should work for disable account:
http://www.activedir.org/Articles/tabid/54/articleType/ArticleView/articleId/12/Default.aspx
Similar is for delete.

Hope that helps.
0
Mike KlineCommented:
Another great method is using old computer by Joe Richards (also works for users)

http://www.joeware.net/freetools/tools/oldcmp/index.htm

oldcmp -report -age 30 -users -llts

That will give you the report and you can also use oldcmp to disable and delete

I would disable after 60 or 90,

http://blogs.technet.com/askds/archive/2009/04/15/the-lastlogontimestamp-attribute-what-it-was-designed-for-and-how-it-works.aspx

As you can see lastlogontiemstamp is accurate up to 9-14 days so with 30 days you may get some users on vacation etc....but that is why your plan to disable first is good and a best practice because it only takes a few seconds to enable them.

...and as you can see by the name of the tool you can identify old machines too

Thanks

Mike
0
Joseph DalyCommented:
I would agree with MKline oldcmp is definitely the best method of doing and the one that I use. I am pretty detailed when i go through deleting accounts. What I do is find the unused accounts, move them to a specific OU, change their password then wait to see if anyone calls in.

Find accounts older than 90 days
oldcmp -report -users -age 90 -llts

find and move to an ou of your choice
oldcmp -users -age 90 -llts -move -newparent "OU=SomeOU,DC=domain,DC=com" -unsafe -forreal

Change all users passwords to something
dsquery user "OU=SomeOU,DC=domain,DC=com" -limit 0 | dsmod user -pwd Terminated!

This way if a user tries logging in they wont be able to and hopefully we get a call so we can reactivate their account before we delete it.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.