Automatic Disable and Delete of User Accounts

Hey there,
Is there a way I can use a GPO to disable accounts that haven't logged on for 30 days, and then delete the account after 60?

I am using Windows Server 2003 domain controllers.  3 overall DCs.

Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

bswinnertonConnect With a Mentor Commented:
Unfortunately, no. Group Policy does not support the disabling of accounts.

What you'll need to do is create a script and make it a scheduled task. You'll want to look into both DSQUERY and DSGET.

The following script courtesy of: outputs them to a txt file:

@echo off
if not {%1}{} if /i {%1} NEQ {/D} @echo syntax: Disabled /D&goto :EOF
set delete=N
if not {%1}{} set delete=%1
if exist Disabled.txt del /q disabled.txt
for /f "Tokens=*" %%u in ('dsquery user -disabled') do set UDN=%%u&call :disa
goto :EOF
set LN=
for /f "Skip=1 Tokens=*" %%i in ('dsget user %UDN% -ln') do if /i "%%i" NEQ "dsget succeeded" set LN=%%i#
set LN=%LN:  #=%
set LN=%LN: #=%
set LN=%LN:#=%
if {%LN%} EQU {} goto :EOF
if /i "%delete%" NEQ "/D" goto report
call :del>nul 2>&1
if %ERRORLEVEL% EQU 0 goto report
@echo %UDN% failed to delete.>>Disabled.txt
goto :EOF
@echo %UDN%>>Disabled.txt
goto :EOF
dsrm %UDN% -noprompt
Yes you can create a script that will do that.

For example a VB Script:
Set objUser = GetObject("LDAP://cn=Ken Myer, ou=Finance, dc=fabrikam,
Set objLastLogon = objUser.Get("lastLogonTimestamp")
intLastLogonTime = objLastLogon.HighPart * (2^32) + objLastLogon.LowPart
intLastLogonTime = intLastLogonTime / (60 * 10000000)
intLastLogonTime = intLastLogonTime / 1440
Wscript.Echo "Last logon time: " & intLastLogonTime + #1/1/1601#

You can combine this with script from bellow link and it should work for disable account:
Similar is for delete.

Hope that helps.
Mike KlineCommented:
Another great method is using old computer by Joe Richards (also works for users)

oldcmp -report -age 30 -users -llts

That will give you the report and you can also use oldcmp to disable and delete

I would disable after 60 or 90,

As you can see lastlogontiemstamp is accurate up to 9-14 days so with 30 days you may get some users on vacation etc....but that is why your plan to disable first is good and a best practice because it only takes a few seconds to enable them.

...and as you can see by the name of the tool you can identify old machines too


Joseph DalyCommented:
I would agree with MKline oldcmp is definitely the best method of doing and the one that I use. I am pretty detailed when i go through deleting accounts. What I do is find the unused accounts, move them to a specific OU, change their password then wait to see if anyone calls in.

Find accounts older than 90 days
oldcmp -report -users -age 90 -llts

find and move to an ou of your choice
oldcmp -users -age 90 -llts -move -newparent "OU=SomeOU,DC=domain,DC=com" -unsafe -forreal

Change all users passwords to something
dsquery user "OU=SomeOU,DC=domain,DC=com" -limit 0 | dsmod user -pwd Terminated!

This way if a user tries logging in they wont be able to and hopefully we get a call so we can reactivate their account before we delete it.
All Courses

From novice to tech pro — start learning today.