| Home | Register | Members | Search | Windows Vista Tips | File Database | Links |
 |
| Thread Tools | Display Modes |
|
Guest
Posts: n/a
|
|
|
|
||
|
|
| |
|
Guest
Posts: n/a
|
Inactive and disabled are two different things entirely.
One's easy to find and the other a little more difficult. Start easy. Finding disabled users is pretty easy. You can use a variety of methods including the dsquery tools. You need to have Windows 2003 and be in a 2003 native domain for most of the switches you'll want. LDAP can also be used and you can search for all disabled user objects in the domain. Since this is replicated, only one domain controller needs to be used. The query would look something like: (&(objectCategory=Person)(userAccountControl:1.2.8 40.113556.1.4.803:=2)) Execute the query at the top of the tree with a subtree search for all user objects and it should return all your currently disabled users. Inactive users is a little tougher to get accurately enough to automate. However, for a good idea of what's inactive, you can use the dsquery tools again this time with the inactive switch. It's common practice to cross reference the list with the last time users changed their passwords to make sure that an inactive user didn't change their password recently (inside the password change windows of the domain). To really get into it, you'd want to query each DC, but that's likely more than you'll get with dsquery (unless you really have a lot of spare time and want to write some elaborate command line queries  You can find more information about the dsquery tools here: http://www.jsifaq.com/SUBO/tip7300/rh7330.htm Al "Vish" <> wrote in message news:34844949-DC89-458C-B4DB-... > Dear all > > This is a question which is troubling me for a long time, we have around > 10 > Domain Controllers spread across geographies, we would like to undertake a > clean up of Inactive and disabled users so that we can migrate > > we are not sure if inactive and disabled users replicate across all DCs > and > we are not even sure if our dcs are in synch, is there any way to fins ths > one out > > We would like to generate a list of inactive /disabled users , is there > any > way to find this out > > Request your help and guidance > > Thanks > Vishnu |
|
|
|
|
|||
|
Guest
Posts: n/a
|
Doh!
I totally spaced when it came to mentioning a great tool you can get from Joeware.net. ADFIND is a great tool you may also want to check out. http://www.joeware.net/ "Al Mulnick" <> wrote in message news:%... > Inactive and disabled are two different things entirely. > One's easy to find and the other a little more difficult. > > Start easy. Finding disabled users is pretty easy. You can use a variety > of methods including the dsquery tools. You need to have Windows 2003 and > be in a 2003 native domain for most of the switches you'll want. > > LDAP can also be used and you can search for all disabled user objects in > the domain. Since this is replicated, only one domain controller needs to > be used. > The query would look something like: > > (&(objectCategory=Person)(userAccountControl:1.2.8 40.113556.1.4.803:=2)) > Execute the query at the top of the tree with a subtree search for all > user objects and it should return all your currently disabled users. > > Inactive users is a little tougher to get accurately enough to automate. > However, for a good idea of what's inactive, you can use the dsquery tools > again this time with the inactive switch. It's common practice to cross > reference the list with the last time users changed their passwords to > make sure that an inactive user didn't change their password recently > (inside the password change windows of the domain). To really get into > it, you'd want to query each DC, but that's likely more than you'll get > with dsquery (unless you really have a lot of spare time and want to write > some elaborate command line queries > > You can find more information about the dsquery tools here: > http://www.jsifaq.com/SUBO/tip7300/rh7330.htm > > Al > > > > "Vish" <> wrote in message > news:34844949-DC89-458C-B4DB-... >> Dear all >> >> This is a question which is troubling me for a long time, we have around >> 10 >> Domain Controllers spread across geographies, we would like to undertake >> a >> clean up of Inactive and disabled users so that we can migrate >> >> we are not sure if inactive and disabled users replicate across all DCs >> and >> we are not even sure if our dcs are in synch, is there any way to fins >> ths >> one out >> >> We would like to generate a list of inactive /disabled users , is there >> any >> way to find this out >> >> Request your help and guidance >> >> Thanks >> Vishnu > > |
|
|
|
|
|||
|
Guest
Posts: n/a
|
|
|
|
|
||
|
Guest
Posts: n/a
|
|
|
|
|
||
|
|
| |
|
| Thread Tools | |
| Display Modes | |
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| Re: Disabled Domain Controller | Meinolf Weber | Windows Server | 4 | 03-30-2008 01:02 PM |
| Re: Disabled Domain Controller | Meinolf Weber | Windows Server | 0 | 03-24-2008 08:50 PM |
| Re: Disabled Domain Controller | Meinolf Weber | Windows Server | 0 | 03-24-2008 08:45 PM |
| domain controller security policy disabled | Song Tan | Windows Small Business Server | 4 | 05-31-2007 08:59 AM |
| AD Users and Computers Not listing whole domain | Noamer | Active Directory | 1 | 12-20-2004 09:36 AM |
Linear Mode
