sunhux
asked on
Windows batch script to list / disable /delete dormant AD accounts
Does GPO / AD has feature or policy that could disable accounts that are inactive
for a certain number of days?
There are PowerShell scripts around but we are told to disable/remove Powershell
due to fileless attacks.
Ideally a windows batch or VB script.
I noticed ' net user /domain userid | find "Last logon" ' has a date : if we could
iterate through all domain IDs & calculate based on this date, it will help.
There's oldcmp tool which seems to work for Win 2012 R2 AD but the csv output
it gives doesn't seem to provide any domain id in it or I've used it wrongly?
for a certain number of days?
There are PowerShell scripts around but we are told to disable/remove Powershell
due to fileless attacks.
Ideally a windows batch or VB script.
I noticed ' net user /domain userid | find "Last logon" ' has a date : if we could
iterate through all domain IDs & calculate based on this date, it will help.
There's oldcmp tool which seems to work for Win 2012 R2 AD but the csv output
it gives doesn't seem to provide any domain id in it or I've used it wrongly?
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
EXPERT CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
Ok, was looking for something that can be placed in a scheduler:
missed that Shaun's utility could be scheduled.
Am a die-hard of basic scripts as they are not going to be
end-of-life with newer versions of AD/Windows.
Thanks.
missed that Shaun's utility could be scheduled.
Am a die-hard of basic scripts as they are not going to be
end-of-life with newer versions of AD/Windows.
Thanks.
Ok, was looking for something that can be placed in a scheduler:Yes
missed that Shaun's utility could be scheduled.
end-of-life with newer versions of AD/Windows.Technically VBS is end-of-life, just not end-of-support.
ASKER
will list all the users in the AD
Next is I'll need a batch script to iterate through each of the id,
extract their last logon date/time & do a calculation.
For users that I wanted to be exempted, give me an option to
' find/V list_of_users.txt file.txt > file2.txt '
& we'll work based on file2.txt