Link to home
Create AccountLog in
Avatar of shekharshoor
shekharshoorFlag for India

asked on

Disable inactive users from AD

Hi chris,

I am getting dtmLastLogon value for all users as 01/01/1601.
The script is returning all users even though some of them has logged in today.

I am running the updated script as mentioned below :

Option Explicit

' Report File Name
Const REPORT_FILE = "Test.txt"

' Inactive period in days

' Creating the date filter
Dim dblInt8 : dblInt8 = CDbl(DateDiff("s", CDate("01/01/1601 00:00:00"), _

Dim strLdapFilter : strLdapFilter = "(&(objectCategory=person)(objectClass=user))"
' (lastLogonTimeStamp<=" & _
'CStr(dblInt8) & "0000000))"

Dim objConnection : Set objConnection = CreateObject("ADODB.Connection")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"

Dim objCommand : Set objCommand = Createobject("ADODB.Command")
objCommand.ActiveConnection = objConnection
objCommand.Properties("Page Size") = 1000

Dim objRootDSE : Set objRootDSE = GetObject("LDAP://RootDSE")

objCommand.CommandText = "<LDAP://" & objRootDSE.Get("defaultNamingContext") & ">;" & _
strLdapFilter & ";name,distinguishedName,lastLogonTimeStamp;subtree"

Dim objRecordSet : Set objRecordSet = objCommand.Execute

Dim objFSO : Set objFSO = CreateObject("Scripting.FileSystemObject")
Dim objFile : Set objFile = objFSO.OpenTextFile(REPORT_FILE, 2, True, 0)

Do Until objRecordSet.EOF
Dim dtmLastLogon : dtmLastLogon = CDate("01/01/1601 00:00:00")
If Not IsNull(objRecordSet.Fields("lastLogonTimeStamp")) Then
 Dim objLastLogon : Set objLastLogon = objRecordSet.Fields("lastLogonTimeStamp").Value
 dtmLastLogon = CDate(((objLastLogon.HighPart * (2^32) + objLastLogon.LowPart) / 864000000000) + #01/01/1601#)
End If

If dtmLastLogon < (Date - INACTIVE_DAYS) Then

 objFile.WriteLine objRecordSet.Fields("name").Value & vbTab & _
objRecordSet.Fields("distinguishedName").Value & vbTab & _

 ' For debugging:
  WScript.Echo objRecordSet.Fields("name").Value & vbTab & _
 objRecordSet.Fields("distinguishedName").Value & vbTab & _
End If

Please let me know any other option available to get inactive user list and move them to disable OU.


Avatar of Krzysztof Pytko
Krzysztof Pytko
Flag of Poland image

You can use DS Tools command. Log on to DC or workstation with administrative tools installed and type in command-line

dsquery user -inactive <number_of_weeks> -limit 0 | dsmove -newparent "ou=disabled,dc=fdqn"

i.e. Disabled OU in testenv.local domain

dsquery user -inactive 5 -limit 0 | dsmove -newparent "ou=disabled,dc=testenv,dc=local"

OK, one more question. Your questions are about disabling user accounts not moving them?

If so,

then to disable user follow this command

dsquery user -inactive <number_of_weeks> -limit 0 | dsmod user -disabled yes


lastLogonTimeStamp can take up to 14 days to update. It is not a reliable metric for measuring inactivity over very short time-spans.

lastLogon is more accurate, but does not replicate and requires you to check all DCs.

Have you considered using OldCmp ( Dispite it's name it works for user accounts as well as computer accounts, it reports on pretty much all of the available attributes for determining account use.

Avatar of shekharshoor



We would be having service accounts as a part of this AD how can we ignore these ID while querying?
Can we run below command on specific OU ?

dsquery user -inactive <number_of_weeks> -limit 0 | dsmod user -disabled yes

Avatar of Krzysztof Pytko
Krzysztof Pytko
Flag of Poland image

Link to home
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
yes of course you can :)

dsquery user "ou=OU_name,dc=FQDN" -inactive <number_of_weeks> -limit 0 | dsmod user -disabled yes

to exclude service account ...just export your query in CSV format and remove the service aacount and disable the rest.....
Hello Krzysztof

i will test this script and will let you know.

Thx again.
Hello Shekhar,

you're welcome :) OK, I'm awaiting for next info

I used this script using oldcmp (  for disable inactive users for 60 days and move them to a separate domain and then delete them if required.

Note : use -unsafe -forreal parameter with care.

Saugata Datta

@echo off
oldcmp -users -age 60 -disable -newparent "ou=new location,dc=yourdomain,dc=com" -excldn "ou=new location;ou=Important OU;cn=users;cn=builtin" -unsafe -forreal

Open in new window

Krzysztof ,

In the above script the service accounts will be disabled first and then enabled using the account read name from csv file.
Will this will impact the services based on the service accounts?

Nope, this is only couple of seconds when they will be disabled. Almost invisible for services :) Shouldn't affect them at all. I'm using this kind of script in my env and nothing wrong has happened :)

Actually I hate to be a stickler, but it IS possible to cause problems if you do it this way, if you disable and then re-enable the count it's possible the services they are running under are hitting shares, o authenticating or who knows what at that time, to be truly bullet proof, you should compare the users before hand and only disable the ones which need to be disabled.  Even in the space of a few seconds a service might start authenticating repeatedly, lock itself out, and then never become corrected again until the account is manually unlocked..