Does GPO / AD has feature or policy that could disable accounts that are inactive
for a certain number of days?
There are PowerShell scripts around but we are told to disable/remove Powershell
due to fileless attacks.
Ideally a windows batch or VB script.
I noticed ' net user /domain userid | find "Last logon" ' has a date : if we could
iterate through all domain IDs & calculate based on this date, it will help.
There's oldcmp tool which seems to work for Win 2012 R2 AD but the csv output
it gives doesn't seem to provide any domain id in it or I've used it wrongly?