Link to home
Create AccountLog in
Avatar of sunhux
sunhux

asked on

Windows batch script to list / disable /delete dormant AD accounts

Does GPO / AD has feature or policy that could disable accounts that are inactive
for a certain number of days?

There are PowerShell scripts around but we are told to disable/remove Powershell
due to fileless attacks.

Ideally a windows batch or VB script.

I noticed  ' net user /domain  userid | find "Last logon"  '  has a date : if we could
iterate through all domain IDs & calculate based on this date, it will help.

There's oldcmp tool which seems to work for Win 2012 R2 AD but the csv output
it gives doesn't seem to provide any domain id in it or I've used it wrongly?
Avatar of sunhux
sunhux

ASKER

net user /domain > file.txt
will list all the users in the AD

Next is I'll need a batch script to iterate through each of the id,
extract their last logon date/time & do a calculation.

For users that I wanted to be exempted, give me an option to
' find/V  list_of_users.txt  file.txt  >  file2.txt '
& we'll work based on file2.txt
ASKER CERTIFIED SOLUTION
Avatar of Shaun Vermaak
Shaun Vermaak
Flag of Australia image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
EXPERT CERTIFIED SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
Avatar of sunhux

ASKER

Ok, was looking for something that can be placed in a scheduler:
missed that Shaun's utility could be scheduled.

Am a die-hard of basic scripts as they are not going to be
end-of-life with newer versions of AD/Windows.

Thanks.
Ok, was looking for something that can be placed in a scheduler:
missed that Shaun's utility could be scheduled.
Yes

end-of-life with newer versions of AD/Windows.
Technically VBS is end-of-life, just not end-of-support.