Disabled/ Inactive users Listing across multiple domain controller

Discussion in 'Active Directory' started by Vish, Mar 12, 2005.

  Vish

    Vish Guest

    Dear all

    This is a question which is troubling me for a long time, we have around 10
    Domain Controllers spread across geographies, we would like to undertake a
    clean up of Inactive and disabled users so that we can migrate

    we are not sure if inactive and disabled users replicate across all DCs and
    we are not even sure if our dcs are in synch, is there any way to fins ths
    one out

    We would like to generate a list of inactive /disabled users , is there any
    way to find this out

    Request your help and guidance

    Vish, Mar 12, 2005
  Al Mulnick

    Al Mulnick Guest

    Inactive and disabled are two different things entirely.
    One's easy to find and the other a little more difficult.

    Start easy. Finding disabled users is pretty easy. You can use a variety
    of methods including the dsquery tools. You need to have Windows 2003 and
    be in a 2003 native domain for most of the switches you'll want.

    LDAP can also be used and you can search for all disabled user objects in
    the domain. Since this is replicated, only one domain controller needs to
    be used.
    The query would look something like:

    Execute the query at the top of the tree with a subtree search for all user
    objects and it should return all your currently disabled users.

    Inactive users is a little tougher to get accurately enough to automate.
    However, for a good idea of what's inactive, you can use the dsquery tools
    again this time with the inactive switch. It's common practice to cross
    reference the list with the last time users changed their passwords to make
    sure that an inactive user didn't change their password recently (inside the
    password change windows of the domain). To really get into it, you'd want
    to query each DC, but that's likely more than you'll get with dsquery
    (unless you really have a lot of spare time and want to write some elaborate
    command line queries ;)

    You can find more information about the dsquery tools here:

    Al Mulnick, Mar 12, 2005
  Al Mulnick

    Al Mulnick Guest


    I totally spaced when it came to mentioning a great tool you can get from
    Joeware.net. ADFIND is a great tool you may also want to check out.
    Al Mulnick, Mar 12, 2005
  ptwilliams

    ptwilliams Guest

    ptwilliams, Mar 13, 2005
  5. In addition to the excellent responses, Windows Server has the builtin Directory Services command-line utilities.
    See tip 6820 in the 'Tips & Tricks' at http://www.jsiinc.com

    To find inactive users:
    dsquery user -inactive NumberOfWeeks -limit 0

    To find disabled users:

    dsquery user -disabled -limit 0

    See tip 7992.

    Jerold Schulman
    Windows Server MVP
    JSI, Inc.
    Jerold Schulman, Mar 13, 2005
