Disable inactive users from AD

Hi chris,

I am getting dtmLastLogon value for all users as 01/01/1601.
The script is returning all users even though some of them has logged in today.

I am running the updated script as mentioned below :

Option Explicit

' Report File Name
Const REPORT_FILE = "Test.txt"

' Inactive period in days

' Creating the date filter
Dim dblInt8 : dblInt8 = CDbl(DateDiff("s", CDate("01/01/1601 00:00:00"), _

Dim strLdapFilter : strLdapFilter = "(&(objectCategory=person)(objectClass=user))"
' (lastLogonTimeStamp<=" & _
'CStr(dblInt8) & "0000000))"

Dim objConnection : Set objConnection = CreateObject("ADODB.Connection")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"

Dim objCommand : Set objCommand = Createobject("ADODB.Command")
objCommand.ActiveConnection = objConnection
objCommand.Properties("Page Size") = 1000

Dim objRootDSE : Set objRootDSE = GetObject("LDAP://RootDSE")

objCommand.CommandText = "<LDAP://" & objRootDSE.Get("defaultNamingContext") & ">;" & _
strLdapFilter & ";name,distinguishedName,lastLogonTimeStamp;subtree"

Dim objRecordSet : Set objRecordSet = objCommand.Execute

Dim objFSO : Set objFSO = CreateObject("Scripting.FileSystemObject")
Dim objFile : Set objFile = objFSO.OpenTextFile(REPORT_FILE, 2, True, 0)

Do Until objRecordSet.EOF
Dim dtmLastLogon : dtmLastLogon = CDate("01/01/1601 00:00:00")
If Not IsNull(objRecordSet.Fields("lastLogonTimeStamp")) Then
 Dim objLastLogon : Set objLastLogon = objRecordSet.Fields("lastLogonTimeStamp").Value
 dtmLastLogon = CDate(((objLastLogon.HighPart * (2^32) + objLastLogon.LowPart) / 864000000000) + #01/01/1601#)
End If

If dtmLastLogon < (Date - INACTIVE_DAYS) Then

 objFile.WriteLine objRecordSet.Fields("name").Value & vbTab & _
objRecordSet.Fields("distinguishedName").Value & vbTab & _

 ' For debugging:
  WScript.Echo objRecordSet.Fields("name").Value & vbTab & _
 objRecordSet.Fields("distinguishedName").Value & vbTab & _
End If

Please let me know any other option available to get inactive user list and move them to disable OU.


Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Krzysztof PytkoSenior Active Directory EngineerCommented:
You can use DS Tools command. Log on to DC or workstation with administrative tools installed and type in command-line

dsquery user -inactive <number_of_weeks> -limit 0 | dsmove -newparent "ou=disabled,dc=fdqn"

i.e. Disabled OU in testenv.local domain

dsquery user -inactive 5 -limit 0 | dsmove -newparent "ou=disabled,dc=testenv,dc=local"

Krzysztof PytkoSenior Active Directory EngineerCommented:
or you can follow oldCMD command from Awinish' post on EE

Krzysztof PytkoSenior Active Directory EngineerCommented:
OK, one more question. Your questions are about disabling user accounts not moving them?

If so,

then to disable user follow this command

dsquery user -inactive <number_of_weeks> -limit 0 | dsmod user -disabled yes

Your Guide to Achieving IT Business Success

The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.

Chris DentPowerShell DeveloperCommented:

lastLogonTimeStamp can take up to 14 days to update. It is not a reliable metric for measuring inactivity over very short time-spans.

lastLogon is more accurate, but does not replicate and requires you to check all DCs.

Have you considered using OldCmp (http://www.joeware.net/freetools/tools/oldcmp/index.htm)? Dispite it's name it works for user accounts as well as computer accounts, it reports on pretty much all of the available attributes for determining account use.

shekharshoorAuthor Commented:

We would be having service accounts as a part of this AD how can we ignore these ID while querying?
shekharshoorAuthor Commented:
Can we run below command on specific OU ?

dsquery user -inactive <number_of_weeks> -limit 0 | dsmod user -disabled yes

Krzysztof PytkoSenior Active Directory EngineerCommented:
I would suggest put those service account names into text file (each service account login in separate line), save them as i.e. serv_acc.txt and create this batch file for task scheduler or manual execution

@echo off

REM Section for disabling all accounts that were not used for 6 weeks
dsquery user -inactive 6 -limit 0 | dsmod user -disabled yes

REM Section which enables all service accounts from file
for /f %%i (c:\serv_acc.txt) do dsquery user -samid %%i | dsmod user -disabled no

REM Section where disabled accounts are moved to Disabled OU
dsquery user -disabled -limit 0 | dsmove -newparent "ou=disabled,dc=fqdn"

save as dis_account.cmd


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Krzysztof PytkoSenior Active Directory EngineerCommented:
yes of course you can :)

dsquery user "ou=OU_name,dc=FQDN" -inactive <number_of_weeks> -limit 0 | dsmod user -disabled yes

to exclude service account ...just export your query in CSV format and remove the service aacount and disable the rest.....
shekharshoorAuthor Commented:
Hello Krzysztof

i will test this script and will let you know.

Thx again.
Krzysztof PytkoSenior Active Directory EngineerCommented:
Hello Shekhar,

you're welcome :) OK, I'm awaiting for next info

TechnoChatWintel Administrator / Cloud ComputingCommented:
I used this script using oldcmp (http://www.joeware.net/freetools/tools/oldcmp/index.htm)  for disable inactive users for 60 days and move them to a separate domain and then delete them if required.

Note : use -unsafe -forreal parameter with care.

Saugata Datta

@echo off
oldcmp -users -age 60 -disable -newparent "ou=new location,dc=yourdomain,dc=com" -excldn "ou=new location;ou=Important OU;cn=users;cn=builtin" -unsafe -forreal

Open in new window

shekharshoorAuthor Commented:
Krzysztof ,

In the above script the service accounts will be disabled first and then enabled using the account read name from csv file.
Will this will impact the services based on the service accounts?

Krzysztof PytkoSenior Active Directory EngineerCommented:
Nope, this is only couple of seconds when they will be disabled. Almost invisible for services :) Shouldn't affect them at all. I'm using this kind of script in my env and nothing wrong has happened :)

Ben Personick (Previously QCubed)Lead SaaS Infrastructure EngineerCommented:
Actually I hate to be a stickler, but it IS possible to cause problems if you do it this way, if you disable and then re-enable the count it's possible the services they are running under are hitting shares, o authenticating or who knows what at that time, to be truly bullet proof, you should compare the users before hand and only disable the ones which need to be disabled.  Even in the space of a few seconds a service might start authenticating repeatedly, lock itself out, and then never become corrected again until the account is manually unlocked..
shekharshoorAuthor Commented:
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.