Finding and Disabling Inactive AD User Accounts

Discussion in 'Active Directory' started by jtux, Nov 21, 2006.

  1. jtux

    jtux Guest

    howdy list,

    Anybody has experience or script to " find and disable Inactive AD User
    Accounts for at least 30 or some period of days?

    help and suggestion will be appreciated.

    jtux, Nov 21, 2006
    1. Advertisements

  2. See tip 8260 » How can I report all inactive user accounts, and optionally disable them, even if I have multiple domain controllers?
    in the 'Tips & Tricks' at

    Jerold Schulman
    Windows Server MVP
    JSI, Inc.
    Jerold Schulman, Nov 21, 2006
    1. Advertisements

  3. Joe Richards [MVP], Nov 21, 2006
  4. I have a script that will read all users in the domain and list out the last
    logon and provide information about each user.

    Attributes include:
    User Name
    Last Logon Date
    Creation Date
    Home Folder
    Display Name
    Password Not Needed
    Password Does Not Expire
    Expired Password
    Account Is Disabled

    The script can be found at:
    Select Downloads and select User Account Attibutes
    Paul Bergson [MVP-DS], Nov 21, 2006
  5. jtux

    Gibraltar Guest

    Hello jtux,

    There is an attribute called the lastlogontimestamp for each and every user.
    You can check for that attribute for all theusers through a script and get
    the users who have not logged in for last 30 days.
    For more information on that, check out microsoft website with the keyword
    Gibraltar, Nov 21, 2006
  6. jtux

    Mallika Guest


    You can user DSQUERY command from command line to get all inactive user
    accounts. Format is

    dsquery user OU=Employees,dc=contoso,dc=com -inactive 4

    This command will query all users who didn't login to domain for the last 4

    dsmod user cn=username,OU=Employees,dc=contoso,dc=com -disabled yes.

    This command will disable given user ID.

    You can pipe this to commands and achive your task.

    dsquery user OU=Employees,dc=contoso,dc=com -inactive 4 | dsmod user
    -disabled yes.

    Let me know you need any further help.

    Mallika, Nov 21, 2006
  7. Yeah this handled much nicer and tremendously safer from oldcmp...
    lastLogonTimeStamp and all.

    Joe Richards Microsoft MVP Windows Server Directory Services
    Author of O'Reilly Active Directory Third Edition

    ---O'Reilly Active Directory Third Edition now available---
    Joe Richards [MVP], Nov 21, 2006
  8. jtux


    Dec 13, 2011
    Likes Received:
    Download netwrix inactive users tracker—netwrix offers the tool as part of the identity management suite, and it automatically detects, reports and deactivates all user accounts that have been inactive for a specified number of days. I know they also offer a freeware version that detects and reports on inactive accounts, but doesn’t automatically deactivate them.
    Jesse1113, Mar 7, 2012
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.