Script for finding unused or inactive AD computer and user accounts?

Can anyone point me at a resource for admin scripts that can allow me to
run a query against AD to find and output a list (preferably to Excel)
of users and computer accounts in our domain that haven't been accessed
in X weeks?

Thanks.

 

Hi,

You could e.g. take a look at this post from Richard Mueller:
http://groups.google.co.uk/group/microsoft.public.scripting.vbscript/msg/596286cbb2f31d2e


Alternatively, if the domain functional level is set to Windows Server
2003, you can check on the LDAP property lastLogonTimestamp, it is
replicated between the DCs.

Note that this value is only updated when the user logs in if a week
has passed since the last update (so it is usable only to see if an
account have been active on a weekly basis).


From the docs for lastLogonTimestamp:

http://msdn.microsoft.com/library/en-us/adschema/ad/adam_a_lastlogontimestamp.asp

<quote>
Last-Logon-Timestamp
This is the time that the user last logged into the domain. This value
is only updated when the user logs in if a week has passed since the
last update. This value is replicated.
</quote>

http://www.microsoft.com/resources/.../proddocs/en-us/dsadmin_concepts_accounts.asp

<quote>
When the domain functional level has been set to Windows Server 2003,
a new lastLogonTimestamp attribute is used to track the last logon
time of a user or computer account.
</quote>


The above is relevant for both user and computer accounts. Note the
once a week update only part and the Windows Server 2003 domain
functional level prerequisite.


Raise the domain functional level; Windows Server 2003
http://www.microsoft.com/resources/...tandard/proddocs/en-us/sag_changedomlevel.asp

Raising the Roof on Domain Functional Levels
http://www.networking.earthweb.com/netos/article.php/3298531

 

More on lastLogonTimestamp here as well:
http://www.microsoft.com/technet/scriptcenter/topics/win2003/lastlogon.mspx

 

Check out oldcmp

http://www.joeware.net/win/free/tools/oldcmp.htm