AD Query for accounts in one OU last modified X days ago

Posted on 2011-04-29
Last Modified: 2012-05-11
My organization is trying to streamline our Active Directory cleanup.  Our policy is to leave the accounts of terminated employees in the Disabled Users OU for 30 days.  After 30 days, the account is deleted, pending approval of HR.  

What I am looking for is a query that I can import into AD Users and computers that will do the following:

Search just the Disabled Users OU
List any accounts that has a Modified Date of greater that X days from the current date.

I am not looking for third party tools, as once this process is up and running, it will be delegated to our Help Desk.

I also realize that you can sort the Disabled Users List by Modified date and select the accounts to delete manually, but management wants the process to be as automated as possible.

Any assistance would be greatly appreciated.
Question by:minder49
    LVL 4

    Expert Comment

    You need to query for the lastlogontimestamp attibute

    Yo need to make sure the domain functional level is 2003 and then you can use

    dsquery user domainroot -inactive 4 <-- # of weeks
    LVL 3

    Author Comment

    That will not work.  The users last log on time could conceivably have been 3 months ago, and they were just terminated.  Think of an employee going on maternity leave, or Short term disability and deciding to not return to work.  That puts there time stamp well outside the retention period.  Add to that this line from the article you linked to:

    "With default settings in place the lastLogontimeStamp will be 9-14 days behind the current date. "

    This is why I want the query to be based off of Modified Date, since that date reflects when the account was placed in the Disabled Users OU, and starts the clock on our retention policy.

    Out Domain Functional Level is 2003.

    The goal of this query was to help make the process an turn-key as possible.  This will be something that we hand to the Help Desk to run, so it needs to be a simple as possible.

    Thank you for your input.
    LVL 3

    Expert Comment

    You can actualy do that with in AD .
    You can define the query yourself. i have tried to do that for you but the issue is it is using my AD and OU Structure.
    I am attaching two screen shots i hope they will help you to define

    Once you have created the Query save it with a name and description then you can export that and import to anyother computer.
    You can select 30 days or 60 days and select any OU you like. Doc1.docx
    LVL 3

    Author Comment

    I see where you are headed there, but this also will not work since it is also based on last log on time.  I just tried the query in your screen shot, and it came back with numerous users that were only terminated in the past week.  After looking at logs for a few of them, I think this is because they just locked their workstaions at the end of the day, and did not log off.  That will skew the date.

    As far as I can see, the Modified Date on the accounts in Disabled Users is the most accurate date to use.

    Thank you for your input.
    LVL 6

    Accepted Solution

    How bout this.  Create an advanced query for the disabled users OU that looks like this:

    LVL 6

    Expert Comment

    That query would return everything modified after 8PM on January 4 2010. The date/time
    is UTC, so you will have to factor in the timezone delta.

    Never done this before, but I think that's how it would be done.
    LVL 57

    Expert Comment

    by:Mike Kline
    So I'm usually a huge fan of adfind for this.  There is also a really great free tool called adinfo

    See my screenshots



    LVL 3

    Author Comment


    That is the closet solution to the requirements I have seen.  When I get back to work Monday I will test it out and Bring the Help Desk in to run them through it a few times.


    I like the look of adinfo, but we cannot use third party apps.  But thank you for adding another tool to my kit!
    LVL 67

    Expert Comment

    This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.

    Featured Post

    What Security Threats Are You Missing?

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    Join & Write a Comment

    Occasionally there is a need to clean table columns, especially if you have inherited legacy data. There are obviously many ways to accomplish that, including elaborate UPDATE queries with anywhere from one to numerous REPLACE functions (even within…
    This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
    This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

    755 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    23 Experts available now in Live!

    Get 1:1 Help Now