How to check if an AD user is really gone?


I have problem to check if a user has really quit the company (except asking HR:-)) because by checking the lastlogon attribute in AD is not enough. If a user just uses his email the lastlogon is not completely accurate. Also the LastLogonTime  in O365 mailbox is not accurate at all (many things can change that value).

Mailbox activity report from O365 can't be manipulate by Powershell...have to download manually. I need something that I can code.

So what do you think I check lastlogon and pwdLastSet attributes? Like if both values are over 90 days then the user is really gone.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Sam JacobsDirector of Technology Development, IPMCommented:
If your company has a password policy that it must be changed every 90 days, then simply checking should be sufficient, except you need to take into account that the user may have gone on vacation for 3-4 weeks.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
SAM2009Author Commented:
Is password policy will also apply to users who don't have workstation in the domain but just use email?
Sam JacobsDirector of Technology Development, IPMCommented:
Yes, as they need their AD credentials to log into email.
Price Your IT Services for Profit

Managed service contracts are great - when they're making you money. Yes, you’re getting paid monthly, but is it actually profitable? Learn to calculate your hourly overhead burden so you can master your IT services pricing strategy.

Brian BEE Topic Advisor, Independant Technology ProfessionalCommented:
If their account is locked then there is no way they been logging on to anything that verifies against AD. That's best practice. If for some reason the company doesn't want accounts being disabled as soon as an employee leaves, should probably find out why and show them how to work around it.
Adam the 32-bit AardvarkSoftware DeveloperCommented:
As a side note, a healthy workflow would require HR to notify IT of any employees leaving the company. Some kind of cooperation on a procedural level might be the only foolproof solution.
Long vacation leaves are one thing to keep in mind. But you can't forget maternity leaves and long-term sick leaves. Basing on lastlogon and pwdLastSet alone might result in deleting some of the employees who might come back in a distant future.
You can block user sign in with O365 upon HR confirmation :)
can disable account in AD as well, which will have same effect as blocking sign in

Sorry but don't understand exact question
Shaun VermaakTechnical SpecialistCommented:
So what do you think I check lastlogon and pwdLastSet attributes? Like if both values are over 90 days then the user is really gone.
Yes, that is the logic I use

Enable AD Recycle Bin and extend its duration to 180/360 days. This way even if you delete a user, you can restore it with a one-line Powershell command
Get-ADObject -Filter {displayName -eq "John Smith"} -IncludeDeletedObjects | Restore-ADObject

Open in new window

Trust me, the only way you will get HR confirmation/cooperation it by directly integrating with the HR system and then automating the process
SAM2009Author Commented:
Thanks to all
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.