Expiring inactive acounts

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I want to ensure that Windows 2000 domain users who are not logging in
for 60 days cannot login later without admin intervention.

In Windows NT 4.0 I used to enable the checkbox "User must login to
change password" and had a password expiry of 60 days. So if somebody
logged in after 60 days he could not login.administrator had to reset his
expired password. This was an indirect way to expire inactive accounts.

In Windows 2000 how do I achieve this ? I donot see this option "User
must login to change password" anywhere. I have set the password
expiry for 60 days. But somebody who logs in after 60 days also can
use his old password , immediately change to new one and login
successfully. Or is there a better way in Windows 2000 to automatically
disable
inactive accounts ?
 
Microsoft took that option away with 2K due to various implementation
issues. I can't recall the details, look at the KBs there might be some
info on it. Long story short, you can't set it.

If you want to disable IDs that have expired, then you can write
something or use a tool that is already written to do it. You can use my
oldcmp (yes it does users too) to do that work if you like. Google for
oldcmp, should be the first hit. The rest of the hits will be people
talking about it.

joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm
 
Hello Vashi,

You can run a script based on a schedule that will disable inactive user
accounts automatically. Inactive user accounts are easily identified by
querying the password age attribute, but don’t forget to exclude the service
accounts (User Accounts with the password never expires option).

Regards,

Taimour Al Neimat
Amman - Jordan
Infrastructure Specialist
MCT, MCSE, MCDBA, MCSA, CCNA, CWNA
 
Back
Top