Any way to tell if a user hasn't logged in for a set period of time?

[Jacki Slough]

Using Windows 2000 servers. We are having trouble in that we are not being
notified when staff quit or leave for other reasons. We would like to
remove their account from the network immediately. Is there a script that
will tell us if a user hasn't logged in within a certain time frame? Or is
there a way to disable an account if it hasn't been used in so many days?
Any other ideas are appreciated!

 

[Herb Martin]

Apparently there was a Bug in Win2000 AD where the last
logon time was never updated.

You need Win2003 AD (and an advanced mode) for this
I believe.

 

[Steven L Umbach]

Herb is right [as usual]. If you have a Windows XP Pro computer in the
domain you can install the adminpak for Windows 2003 [download from MS] on
it and logon as a domain admin, so make sure the computer is secure, and use
the Active Directory command line tools to query for accounts that have not
logged on in a certain number of weeks. You will have to do such on each
domain controller with the /s switch to get a list of suspects. The problem
is that a user who has not logged on via a particular domain controller for
a long time may simply be using a different domain controller. So after you
get your list of suspects, you will need to run [ net user username ] on
each domain controller to see the last time the user logged on and if it
shows to be a long time on all domain controllers it is probably safe to
suspect that these users may no longer be there but you want to check with
personnel just in case they are on disability, military leave, or pregnancy
leave for instance.

You should really should raise hell with the powers that be about the lack
of communication however. There may be better solutions if you check with
the scripting newsgroup or visit the Microsoft Scripting center. --- Steve

http://www.jsiinc.com/SUBO/tip7300/rh7330.htm -- dsquery.
http://www.microsoft.com/technet/scriptcenter/scripts/ad/default.mspx

 

[Herb Martin]

Well a simple Perl script could drop all users that don't
appear in both files (2 at a time) then run the results
against the next DC until you either run out of users or
get to the last DC.

(Or course such could be automated to read all N files
at once but the code for two files is trivial.)

--
Herb Martin

Herb is right [as usual]. If you have a Windows XP Pro computer in the
domain you can install the adminpak for Windows 2003 [download from MS] on
it and logon as a domain admin, so make sure the computer is secure, and use
the Active Directory command line tools to query for accounts that have not
logged on in a certain number of weeks. You will have to do such on each
domain controller with the /s switch to get a list of suspects. The problem
is that a user who has not logged on via a particular domain controller for
a long time may simply be using a different domain controller. So after you
get your list of suspects, you will need to run [ net user username ] on
each domain controller to see the last time the user logged on and if it
shows to be a long time on all domain controllers it is probably safe to
suspect that these users may no longer be there but you want to check with
personnel just in case they are on disability, military leave, or pregnancy
leave for instance.

You should really should raise hell with the powers that be about the lack
of communication however. There may be better solutions if you check with
the scripting newsgroup or visit the Microsoft Scripting center. --- Steve

http://www.jsiinc.com/SUBO/tip7300/rh7330.htm -- dsquery.
http://www.microsoft.com/technet/scriptcenter/scripts/ad/default.mspx

Apparently there was a Bug in Win2000 AD where the last
logon time was never updated.

You need Win2003 AD (and an advanced mode) for this
I believe.

--
Herb Martin


Or
is

 

[Jacki Slough]

Thanks everyone - these are great suggestions.

Well a simple Perl script could drop all users that don't
appear in both files (2 at a time) then run the results
against the next DC until you either run out of users or
get to the last DC.

(Or course such could be automated to read all N files
at once but the code for two files is trivial.)

--
Herb Martin

Herb is right [as usual]. If you have a Windows XP Pro computer in the
domain you can install the adminpak for Windows 2003 [download from MS]
on
it and logon as a domain admin, so make sure the computer is secure, and use
the Active Directory command line tools to query for accounts that have not
logged on in a certain number of weeks. You will have to do such on each
domain controller with the /s switch to get a list of suspects. The problem
is that a user who has not logged on via a particular domain controller for
a long time may simply be using a different domain controller. So after you
get your list of suspects, you will need to run [ net user username ] on
each domain controller to see the last time the user logged on and if it
shows to be a long time on all domain controllers it is probably safe to
suspect that these users may no longer be there but you want to check
with
personnel just in case they are on disability, military leave, or pregnancy
leave for instance.

You should really should raise hell with the powers that be about the
lack
of communication however. There may be better solutions if you check with
the scripting newsgroup or visit the Microsoft Scripting center. --- Steve

http://www.jsiinc.com/SUBO/tip7300/rh7330.htm -- dsquery.
http://www.microsoft.com/technet/scriptcenter/scripts/ad/default.mspx

Apparently there was a Bug in Win2000 AD where the last
logon time was never updated.

You need Win2003 AD (and an advanced mode) for this
I believe.

--
Herb Martin


Using Windows 2000 servers. We are having trouble in that we are not
being
notified when staff quit or leave for other reasons. We would like to
remove their account from the network immediately. Is there a script
that
will tell us if a user hasn't logged in within a certain time frame? Or
is
there a way to disable an account if it hasn't been used in so many days?
Any other ideas are appreciated!

 

[Herb Martin]

Thanks everyone - these are great suggestions.

Well, I don't know about "great" (<grin> mine at least) but you
are certainly welcome and it may have clarified the choices
for you.

--
Herb Martin

Well a simple Perl script could drop all users that don't
appear in both files (2 at a time) then run the results
against the next DC until you either run out of users or
get to the last DC.

(Or course such could be automated to read all N files
at once but the code for two files is trivial.)

--
Herb Martin

Herb is right [as usual]. If you have a Windows XP Pro computer in the
domain you can install the adminpak for Windows 2003 [download from MS]
on
it and logon as a domain admin, so make sure the computer is secure,

and
use

the Active Directory command line tools to query for accounts that have not
logged on in a certain number of weeks. You will have to do such on each
domain controller with the /s switch to get a list of suspects. The problem
is that a user who has not logged on via a particular domain controller for
a long time may simply be using a different domain controller. So after you
get your list of suspects, you will need to run [ net user username ] on
each domain controller to see the last time the user logged on and if it
shows to be a long time on all domain controllers it is probably safe to
suspect that these users may no longer be there but you want to check
with
personnel just in case they are on disability, military leave, or pregnancy
leave for instance.

You should really should raise hell with the powers that be about the
lack
of communication however. There may be better solutions if you check with
the scripting newsgroup or visit the Microsoft Scripting center. --- Steve

http://www.jsiinc.com/SUBO/tip7300/rh7330.htm -- dsquery.
http://www.microsoft.com/technet/scriptcenter/scripts/ad/default.mspx

Apparently there was a Bug in Win2000 AD where the last
logon time was never updated.

You need Win2003 AD (and an advanced mode) for this
I believe.

--
Herb Martin


Using Windows 2000 servers. We are having trouble in that we are not
being
notified when staff quit or leave for other reasons. We would like to
remove their account from the network immediately. Is there a script
that
will tell us if a user hasn't logged in within a certain time frame? Or
is
there a way to disable an account if it hasn't been used in so many days?
Any other ideas are appreciated!

 

[Phillip Windell]

Somarsoft's DumpACL (DumpSec now?) will reports a user list with the "Last
logged on time". No writing scripts, no fooling, around with command lines.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

Thanks everyone - these are great suggestions.

Well, I don't know about "great" (<grin> mine at least) but you
are certainly welcome and it may have clarified the choices
for you.

--
Herb Martin

Well a simple Perl script could drop all users that don't
appear in both files (2 at a time) then run the results
against the next DC until you either run out of users or
get to the last DC.

(Or course such could be automated to read all N files
at once but the code for two files is trivial.)

--
Herb Martin


Herb is right [as usual]. If you have a Windows XP Pro computer in the
domain you can install the adminpak for Windows 2003 [download from MS]
on
it and logon as a domain admin, so make sure the computer is secure, and
use
the Active Directory command line tools to query for accounts that have
not
logged on in a certain number of weeks. You will have to do such on each
domain controller with the /s switch to get a list of suspects. The
problem
is that a user who has not logged on via a particular domain controller
for
a long time may simply be using a different domain controller. So after
you
get your list of suspects, you will need to run [ net user username ] on
each domain controller to see the last time the user logged on and if it
shows to be a long time on all domain controllers it is probably safe to
suspect that these users may no longer be there but you want to check
with
personnel just in case they are on disability, military leave, or
pregnancy
leave for instance.

You should really should raise hell with the powers that be about the
lack
of communication however. There may be better solutions if you check with
the scripting newsgroup or visit the Microsoft Scripting center. ---
Steve

http://www.jsiinc.com/SUBO/tip7300/rh7330.htm -- dsquery.
http://www.microsoft.com/technet/scriptcenter/scripts/ad/default.mspx

Apparently there was a Bug in Win2000 AD where the last
logon time was never updated.

You need Win2003 AD (and an advanced mode) for this
I believe.

--
Herb Martin


Using Windows 2000 servers. We are having trouble in that we are not
being
notified when staff quit or leave for other reasons. We would

like

to

 

[Steven L Umbach]

Hi Mr. Phillip.

Dumpsec is a great tool but keep in mind that in Windows 2000 the last logon
timestamp is not replicated so the results from dumpsec will only show the
last logon for the domain controller that is accesses for the report -
probably the pdc fsmo. In a multi domain controller environment that report
may not be accurate as users of course could be authenticating to any domain
controller. This was fixed in Windows 2003. --- Steve

Somarsoft's DumpACL (DumpSec now?) will reports a user list with the
"Last
logged on time". No writing scripts, no fooling, around with command
lines.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

Thanks everyone - these are great suggestions.

Well, I don't know about "great" (<grin> mine at least) but you
are certainly welcome and it may have clarified the choices
for you.

--
Herb Martin

Well a simple Perl script could drop all users that don't
appear in both files (2 at a time) then run the results
against the next DC until you either run out of users or
get to the last DC.

(Or course such could be automated to read all N files
at once but the code for two files is trivial.)

--
Herb Martin


Herb is right [as usual]. If you have a Windows XP Pro computer in the
domain you can install the adminpak for Windows 2003 [download from MS]
on
it and logon as a domain admin, so make sure the computer is secure, and
use
the Active Directory command line tools to query for accounts that have
not
logged on in a certain number of weeks. You will have to do such on each
domain controller with the /s switch to get a list of suspects. The
problem
is that a user who has not logged on via a particular domain controller
for
a long time may simply be using a different domain controller. So after
you
get your list of suspects, you will need to run [ net user
username ] on
each domain controller to see the last time the user logged on and
if it
shows to be a long time on all domain controllers it is probably
safe to
suspect that these users may no longer be there but you want to
check
with
personnel just in case they are on disability, military leave, or
pregnancy
leave for instance.

You should really should raise hell with the powers that be about
the
lack
of communication however. There may be better solutions if you check with
the scripting newsgroup or visit the Microsoft Scripting
enter. ---
Steve

http://www.jsiinc.com/SUBO/tip7300/rh7330.htm -- dsquery.
http://www.microsoft.com/technet/scriptcenter/scripts/ad/default.mspx

Apparently there was a Bug in Win2000 AD where the last
logon time was never updated.

You need Win2003 AD (and an advanced mode) for this
I believe.

--
Herb Martin


Using Windows 2000 servers. We are having trouble in that we are not
being
notified when staff quit or leave for other reasons. We would

like

to
remove their account from the network immediately. Is there a script
that
will tell us if a user hasn't logged in within a certain time frame?
Or
is
there a way to disable an account if it hasn't been used in so many
days?
Any other ideas are appreciated!