How to check if an AD user is really gone?

SAM2009
SAM2009 used Ask the Experts™
on
Hi,

I have problem to check if a user has really quit the company (except asking HR:-)) because by checking the lastlogon attribute in AD is not enough. If a user just uses his email the lastlogon is not completely accurate. Also the LastLogonTime  in O365 mailbox is not accurate at all (many things can change that value).

Mailbox activity report from O365 can't be manipulate by Powershell...have to download manually. I need something that I can code.

So what do you think I check lastlogon and pwdLastSet attributes? Like if both values are over 90 days then the user is really gone.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Director of Technology Development, IPM
Commented:
If your company has a password policy that it must be changed every 90 days, then simply checking should be sufficient, except you need to take into account that the user may have gone on vacation for 3-4 weeks.

Author

Commented:
Is password policy will also apply to users who don't have workstation in the domain but just use email?
Sam JacobsDirector of Technology Development, IPM

Commented:
Yes, as they need their AD credentials to log into email.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Brian BEE Topic Advisor, Independant Technology Professional

Commented:
If their account is locked then there is no way they been logging on to anything that verifies against AD. That's best practice. If for some reason the company doesn't want accounts being disabled as soon as an employee leaves, should probably find out why and show them how to work around it.
As a side note, a healthy workflow would require HR to notify IT of any employees leaving the company. Some kind of cooperation on a procedural level might be the only foolproof solution.
Long vacation leaves are one thing to keep in mind. But you can't forget maternity leaves and long-term sick leaves. Basing on lastlogon and pwdLastSet alone might result in deleting some of the employees who might come back in a distant future.
MaheshArchitect
Distinguished Expert 2018

Commented:
You can block user sign in with O365 upon HR confirmation :)
and
can disable account in AD as well, which will have same effect as blocking sign in

Sorry but don't understand exact question
Shaun VermaakTechnical Specialist
Awarded 2017
Distinguished Expert 2018

Commented:
So what do you think I check lastlogon and pwdLastSet attributes? Like if both values are over 90 days then the user is really gone.
Yes, that is the logic I use
https://www.experts-exchange.com/articles/30820/Active-Directory-Cleanup-Tool-ADCleanup.html

Enable AD Recycle Bin and extend its duration to 180/360 days. This way even if you delete a user, you can restore it with a one-line Powershell command
Get-ADObject -Filter {displayName -eq "John Smith"} -IncludeDeletedObjects | Restore-ADObject

Open in new window


Trust me, the only way you will get HR confirmation/cooperation it by directly integrating with the HR system and then automating the process

Author

Commented:
Thanks to all

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial