Imanami Community

Join or create discussions about common issues and solutions.
Welcome to Imanami Community Sign in | Join | Help
Search
Home Forums Photos Downloads
Imanami Community » DTM » Knowledgebase » Info: Disabling Accounts without Logon

Info: Disabling Accounts without Logon

  •  10-26-2007, 10:03 AM

    Info: Disabling Accounts without Logon

      This is pretty easy to do by creating a job that pulls from AD to AD.  The hard part is calculating the date.

    This article goes into some details regarding how to calculate the date:
    http://www.microsoft.com/technet/scriptcenter/topics/win2003/lastlogon.mspx

    If you use DTM you will have to modify the the source query to reflect the new date everytime it runs:
    SELECT * FROM 'LDAP://mydomain' WHERE objectCategory='person' AND objectclass = 'user' AND lastLogonTimeStamp <= DateTimeSixMonthsAgo

    A better solution would be to create a script that pulls all the expired account into a CSV file and then use DTM to disable them.  The sample script below will create a csv file with all the users that have expired.  You can then use this csv as the source to a DTM job that disables the accounts.  Finally, just create simple batch file that calls the script and then isync.  The script might look something like this:

    'THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT
    'WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED,
    'INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES
    'OF MERCHANTABILITY AND/OR FITNESS FOR A  PARTICULAR
    'PURPOSE

    '------------------------------------------------------------------------------
    'FILE DESCRIPTION: Script for creating finding users that have not logged on.
    '
    'File Name: lastlogon.vbs
    '
    '
    ' Copyright (c) 2005 Imanami Corporation. All rights reserved.
    '------------------------------------------------------------------------------
    Option Explicit
    Dim oFile, sDomainOrDC
    'Domain name or domain controller to connect to, if the default is not what you want
    'NOTE THIS ONLY SUPPORTS WINDOWS 2003
    'sDomainOrDC = ""
    'File path and name for output
    Const sFile = "expiredaccounts.csv"
    'Fields to return, if you modify this then you have to modify the lines below
    Const sFields = "samAccountName,displayName,mail"
    'Number of days since last logon
    'NOTE Windows 2003 replicates this information every 14 days so depend on it being very accurate
    Const iExpirationDays = 60
    Const bTrace = False
    Sub Main
     Dim oRS, dDate, sQuery
     dDate = GetExpirationDateByDays(iExpirationDays)
     TraceValue "dDate", dDate
     sQuery = GetQueryString(dDate)
     TraceValue "sQuery", sQuery
     Set oRS = QueryDir(sQuery)
     CreateFile sFile
     Do While Not oRS.EOF
      'If you modified sFields, you must change the two lines below
      Trace "Expired User: """ & oRS("samAccountName") & """,""" & oRS("displayname") & """,""" & oRS("mail") & """,true"
      oFile.WriteLine """" & oRS("samAccountName") & """,""" & oRS("displayname") & """,""" & oRS("mail") & """,true"
      oRS.MoveNext
     Loop
     oFile.Close
     Wscript.Echo "Done."
    End Sub

    Function GetDefaultDomain
     Dim oRootDSE
     Set oRootDSE = GetObject("LDAP://RootDSE")
     GetDefaultDomain = oRootDSE.Get("DefaultNamingContext")
     TraceValue "Domain", GetDefaultDomain
    End Function

    Sub CreateFile(sPath)
     Dim FileSystem
     Set FileSystem = WScript.CreateObject("Scripting.FileSystemObject")
     Set oFile = FileSystem.CreateTextFile(sPath, True)
     oFile.WriteLine "samAccountName,displayname,mail,expired"
    End Sub

    Sub Trace(msg)
     If bTrace Then Wscript.Echo msg
    End Sub

    Sub TraceValue(sKey, sValue)
     Trace sKey & "= [" & sValue & "]"
    End Sub

    Function GetExpirationDateByDays(iDays)
     Dim dResult
     Dim dtmDate
     dtmDate = DateAdd("d", -iDays, Now())
     dResult = 10000000 * (DateDiff("s", "1/1/1601", dtmDate))
     dResult = FormatNumber(dResult, 0, False, False ,0)
     GetExpirationDateByDays = dResult
    End Function

    Function GetQueryString(expirationDate)
     GetQueryString = "(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2)(lastLogonTimeStamp<=" & expirationDate & ")"
    End Function

    Function QueryDir(sCommand)
     Dim sQuery
     Dim oConnection
     Dim oCommand
     Dim oRecordSet

     Set oConnection = CreateObject("ADODB.Connection")
     oConnection.Open "Provider=ADsDSOObject;"
     
     Set oCommand = CreateObject("ADODB.Command")
     Set oCommand.ActiveConnection = oConnection

     If sDomainOrDC = vbNullString Then sDomainOrDC = GetDefaultDomain()
     sQuery = "<LDAP://" & sDomainOrDC & ">;(&" & sCommand & ");" & sFields & ";subtree"
     oCommand.CommandText = sQuery
      
     Set oRecordSet = oCommand.Execute
     Set QueryDir = oRecordSet 
    End Function

    Call Main()

     
    Filed under:
View Complete Thread
Copyright 2006 Imanami Corporation. All Rights Reserved.
Powered by Community Server (Personal Edition), by Telligent Systems