Find inactive users in Windows 2000 Active Directory - KiXtart.org

You are not logged in. [Log In] KiXtart.org website » Forums » KiXtart » COM Scripting » Find inactive users in Windows 2000 Active Directory

Page 1 of 1

Topic Options

#162615 - 2006-05-30 02:50 PM Find inactive users in Windows 2000 Active Directory
mima mima Hey THIS is FUN Registered: 2002-01-25 Posts: 217 Loc: Jönköping, Sweden	Hi I must find all users that have been inactive (not logged on) in a Windows 2000 Active Directory. In a Windows 2003 Active Directory I can use "Dsquery user -inactive 60". This command give me all user inactive more than 60 days. But this command doesnt work in W2000 AD. Can this be done with ldap call from kix ?
Top

#162616 - 2006-05-30 03:10 PM Re: Find inactive users in Windows 2000 Active Directory
Chris S. Chris S. MM club member Registered: 2002-03-18 Posts: 2368 Loc: Earth	There should be a sample with fnLDAPQuery() you can use.
Top

#162617 - 2006-05-30 04:00 PM Re: Find inactive users in Windows 2000 Active Directory
mima mima Hey THIS is FUN Registered: 2002-01-25 Posts: 217 Loc: Jönköping, Sweden	Ok I find following Microsoft but I cant understand which parameter I should use ?
Top

#162618 - 2006-05-30 04:32 PM Re: Find inactive users in Windows 2000 Active Directory
Mart Mart KiX Supporter Registered: 2002-03-27 Posts: 4673 Loc: The Netherlands	I think Chris is pointing to his UDF fnLDAPQuery() - Uses ADO to query Active Directory using LDAP dialect . Maybe a stupid suggestion cause I’m not so familiar with LDAP and querying AD but cant you use the Last-Logon attribute to see if the user has not logged on for lets say 90 days and delete/disable/reset password/ or whatever based on what the query gives you. Edited by Mart (2006-05-30 04:33 PM) _________________________ Mart - Chuck Norris once sold ebay to ebay on ebay.
Top

#162619 - 2006-05-30 04:42 PM Re: Find inactive users in Windows 2000 Active Directory
mima mima Hey THIS is FUN Registered: 2002-01-25 Posts: 217 Loc: Jönköping, Sweden	Yes Mart, I just found that attribute and tried this filter: $strFilter = "(&(objectCategory=person)(objectClass=user)(lastLogon=???))" but I dont understand how I can put a value so I can find users that havent logon the last ex 90 days.
Top

#162620 - 2006-05-30 05:21 PM Re: Find inactive users in Windows 2000 Active Directory
Chris S. Chris S. MM club member Registered: 2002-03-18 Posts: 2368 Loc: Earth	The problem with LastLogin is that it isn't replicated. There is a LastLoginTimestamp property that is replicated weekly, but that is an AD 2003 property. You're better off looking at the pwdLastSet property and expiring accounts that have not changed their passwords 60 days from the password expiration date.
Top

#162621 - 2006-05-30 05:25 PM Re: Find inactive users in Windows 2000 Active Directory
Les Les KiX Master Registered: 2001-06-11 Posts: 12734 Loc: fortfrances.on.ca	Perhaps you could borrow from the example that searches for computer accounts that have not updated their password in 90 days. _________________________ Give a man a fish and he will be back for more. Slap him with a fish and he will go away forever.
Top

#162622 - 2006-05-30 07:16 PM Re: Find inactive users in Windows 2000 Active Directory
Chris S. Chris S. MM club member Registered: 2002-03-18 Posts: 2368 Loc: Earth	Exactly. Just switch the example to search for user accounts instead and it should do the trick.
Top

#162623 - 2006-06-01 03:05 PM

Re: Find inactive users in Windows 2000 Active Directory

mima

Hey THIS is FUN

Registered: 2002-01-25
Posts: 217
Loc: Jönköping, Sweden

Hi

I used the following code which I found at:
Post
Code:


 Break On
 
$=SetOption('WrapAtEOL','on')
$=SetOption('NoVarsInStrings','on')
$=SetOption('Explicit','on')
 
Dim $D,$T,$sDate,$sWhat,$sFrom,$sFilter,$sScope,$aResults,$r
 
Call 'Functions\fnActiveTimeZone.kix' 
Call 'Functions\fnDateCalc.kix'
Call 'Functions\fnFlipcTime.kix'
Call 'Functions\fnInteger8Date.kix'
Call 'Functions\fnLDAPQuery.kix'
 
$D = DateCalc(@DATE,-90)
$T = '00:00:00'
 
$sDate=''+FlipcTime($D,$T,fnActiveTimeZone,'1601/01/01')+'0000000'
 
$sWhat = 'ADsPath','Name','pwdLastSet'
 
$sFrom = 'LDAP://'+GetObject('LDAP://rootDSE').Get('defaultNamingContext')
 
$sFilter = '(&(objectClass=computer)(pwdLastSet<='+$sDate+'))'
 
$sScope = 'subtree'
 
$aResults = fnLDAPQuery($sWhat,$sFrom,$sFilter,'pwdLastSet',$sScope)
@ERROR ' : ' @SERROR ??
 
For $r = 0 to Ubound($aResults)
   $aResults[$r,1] + ': ' + fnInteger8Date($aResults[$r,2]) ?
Next
 
 ? 'Password unchanged since ' + $D + ': ' + (Ubound($aResults) + 1) ?
 
Get $

and changed
$sFilter = '(&(objectClass=computer)(pwdLastSet<='+$sDate+'))'
to
$sFilter = '(&(objectClass=user)(pwdLastSet<='+$sDate+'))'

and now I get users but I also get computers. Anyone know how I can only get users ?

Top

#162624 - 2006-06-01 03:50 PM Re: Find inactive users in Windows 2000 Active Directory
Chris S. Chris S. MM club member Registered: 2002-03-18 Posts: 2368 Loc: Earth	The following should do the trick... Code: $sFilter = '(&(objectClass=user)(!objectClass=computer)(pwdLastSet<='+$sDate+'))'
Top

#162625 - 2006-06-01 03:53 PM Re: Find inactive users in Windows 2000 Active Directory
mima mima Hey THIS is FUN Registered: 2002-01-25 Posts: 217 Loc: Jönköping, Sweden	Great, now it worked. Thanks Chris S.
Top

#162626 - 2006-06-01 04:40 PM Re: Find inactive users in Windows 2000 Active Directory
mima mima Hey THIS is FUN Registered: 2002-01-25 Posts: 217 Loc: Jönköping, Sweden	I also made this filter so I only get user which NOT is disabled Code: $sFilter = '(&(objectClass=user)(!objectClass=computer)(!userAccountControl:1.2.840.113556.1.4.803:=2)(pwdLastSet<='+$sDate+'))'
Top

Page 1 of 1

Previous Topic View All Topics

Index Next Topic

Moderator: Shawn, ShaneEP, Ruud van Velsen, Arend_, Jochen, Radimus, Glenn Barnas, Allen, Mart

Hop to:

Shout Box

Search the board with:
superb Board Search
or try with google:

	Web kixtart.org