sunhux
asked on
Windows batch script to list / disable /delete dormant AD accounts
Does GPO / AD has feature or policy that could disable accounts that are inactive
for a certain number of days?
There are PowerShell scripts around but we are told to disable/remove Powershell
due to fileless attacks.
Ideally a windows batch or VB script.
I noticed ' net user /domain userid | find "Last logon" ' has a date : if we could
iterate through all domain IDs & calculate based on this date, it will help.
There's oldcmp tool which seems to work for Win 2012 R2 AD but the csv output
it gives doesn't seem to provide any domain id in it or I've used it wrongly?
for a certain number of days?
There are PowerShell scripts around but we are told to disable/remove Powershell
due to fileless attacks.
Ideally a windows batch or VB script.
I noticed ' net user /domain userid | find "Last logon" ' has a date : if we could
iterate through all domain IDs & calculate based on this date, it will help.
There's oldcmp tool which seems to work for Win 2012 R2 AD but the csv output
it gives doesn't seem to provide any domain id in it or I've used it wrongly?
Last Comment
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
EXPERT CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Ok, was looking for something that can be placed in a scheduler:
missed that Shaun's utility could be scheduled.
Am a die-hard of basic scripts as they are not going to be
end-of-life with newer versions of AD/Windows.
Thanks.
missed that Shaun's utility could be scheduled.
Am a die-hard of basic scripts as they are not going to be
end-of-life with newer versions of AD/Windows.
Thanks.
Ok, was looking for something that can be placed in a scheduler:Yes
missed that Shaun's utility could be scheduled.
end-of-life with newer versions of AD/Windows.Technically VBS is end-of-life, just not end-of-support.
Active Directory
Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.
86K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
ASKER
will list all the users in the AD
Next is I'll need a batch script to iterate through each of the id,
extract their last logon date/time & do a calculation.
For users that I wanted to be exempted, give me an option to
' find/V list_of_users.txt file.txt > file2.txt '
& we'll work based on file2.txt