Link to home
Start Free TrialLog in
Avatar of WellingtonIS
WellingtonIS

asked on

Tracking Unused AD accounts

Is there software or perhaps some way I can track Active Directory User accounts that have not been used within 90 days?
Avatar of Joseph Moody
Joseph Moody
Flag of United States of America image

http://automatedoutofajob.blogspot.com/2012/06/powershell-script-of-day-disable-old.html

You will need to download the Quest AD CMDlets and change the areas in that script that call for QAD-Computer to Q-ADUSER.
Avatar of WellingtonIS
WellingtonIS

ASKER

I don't want to automatically disable them just identify them.
That script has a -whatif command in it. It will just list the users.
ASKER CERTIFIED SOLUTION
Avatar of noufs
noufs
Flag of France image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I am a big fan of OLDCMP by joeware. This tool will let you search and find unused computer and user accounts as well as perform actions on those accounts if desired.

http://www.joeware.net/freetools/tools/oldcmp/
Thanks everyone I'll check it out.
By the way, if you're not looking to automate this task, and you don't want to spend money, the value in AD to look at is the LastLogonTimestamp.  That value gets replicated across domain controllers.  I believe there is a 14 day shift on the value, so you won't want to remove anyone less than 14 days back for a LastLogonTimestamp.  See the following website:  http://blogs.technet.com/b/askds/archive/2009/04/15/the-lastlogontimestamp-attribute-what-it-was-designed-for-and-how-it-works.aspx
http://www.ldapbrowser.com/

Works like a boss ! ;) and its free
Decided to use this tool because it was easiest and it works well with windows 7.  thanks everyone.