Searching Accounts on DC That Havent Been Logged Into For X Amount of Time

What would the dsquery command be if I wanted to search all users that hadn't logged on for say, 3 months that have their account enabled still?

I want to make sure all the accounts in my company have been closed off and havent been left open after they've left.
AdamB1988Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MegaNuk3Commented:
Are you specifically looking for a DSQUERY command or will any other option that works be OK?

Have a look at this blog, which talks about using windows powershell and the free Quest cmdlets to do that: http://jonathanmedd.blogspot.com/2009/01/powershell-active-directory-one-liners.html
0
AdamB1988Author Commented:
Thanks for this - I'll look into it the Powershell options but a dsquery command would be more easier for me to use :)
0
MegaNuk3Commented:
Or a nice VBScript that will even move the accounts to another OU if you want:
http://www.codeproject.com/KB/vbscript/Disable_Stale_AD_Users.aspx 
0
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

MegaNuk3Commented:
For DSQUERY you are going to need something like this:
dsquery * -filter (&(objectCategory=person)(objectClass=user)(lastLogin<=27604693676718750)) -scope subtree

but working out the LastLogin value is really a pain because it is thenumber of 100 nanosecond intervals since January 1, 1601 (UTC)
http://msdn.microsoft.com/en-us/library/ms676823
0
abhijeet11160Commented:
hi ,

check out the ldap query

$adobjroot = [adsi]''
$objdisabsearcher = New-Object System.DirectoryServices.DirectorySearcher($adobjroot)
$objdisabsearcher.filter = "(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))"
$resultdisabaccn = $objdisabsearcher.findall() | sort path
0
martingagnonCommented:
Hi,  you can use the following sinple DSQuery command

dsquery user -inactive 12

-Inactive : Searches for users who have been inactive (stale) for at least the number of weeks that you specify.

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
AdamB1988Author Commented:
Exactly what I wanted
0
MegaNuk3Commented:
Thanks martingagnon, never heard of that one... Learn something new everyday.
0
AdamB1988Author Commented:
I tried this and it works fine as you cna see by the accepted solution. Is there a way to add in if an account is enabled and been inactive. I know the command is disabled so would it be something like:

dsquery user -inactive 12 disabled no

?
0
martingagnonCommented:
Hi

that would do the trick
dsquery user -inactive 12 -disabled

If you want to get the Distinguished name of the account, use this command
dsquery user -inactive 12 -disabled | dsget user -DN

To output to a text file, use the > c:\dsget.txt at the end of the command. exampe:
dsquery user -inactive 12 -disabled | dsget user -DN > c:\inactiveuser.txt

If you want to delete those account without a prompt:
dsquery user -inactive 12 -disabled | dsrm -noprompt
0
AdamB1988Author Commented:
Nearly there, that brings up all the users that are disabled. I just want to see enabled accounts that havent been logged onto for say 5 weeks. What is the limit command so it doesnt limit itself to a certain amount?
0
martingagnonCommented:
Okay then

dsquery user -inactive  -limit 0 | dsget user -Display -Disabled

The -Limit parameter specifies the number of objects to return that matches the criteria that you specify. If you specify a value of 0  this parameter returns all matching objects. If you do not specify this parameter, dsquery displays the first 100 results by default.  I

The -Disabled parameter displays whether user accounts are disabled for logon (yes) or not (no).



0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.