A couple of years ago I had a group that used a sharepoint web front end that created AD users on the fly in the backend. The problem is that people would either not use it again after the first login, or they would just signup again if they forgot their credentials. Although all of that COULD have been handled by the developers on the front end, it was not and my concern was AD. For the sake of a clean AD, additional replication overhead, and SOX compliancy, unused accounts needed to be removed. Of course let’s not forget the security implications.
It was the application owners’ responsibility to maintain the accounts, but without any AD knowledge they needed a dummied down way to clean up the accounts. At that time I was still learning VBScript and decided to kick it up a notch and write my script in an HTA. I swear my scripts are much cleaner these days. I’m not going to go over all the code, but please leave any comments if you have questions. After you copy the code and save it as an .HTA you will need to change the LDAP paths according to your AD, the maximum age for enabled accounts, and the maximum age for disabled accounts. The reason for querying whether the account is disabled or not is so you can do something like disable an account that is 30 days past and delete it if more than 60 days past. You should also know that I use the LastLogonTimeStamp attribute since it is replicated to all domain controllers. Conversely the LastLogon attribute is not replicated and will vary from DC to DC. For more on the workings of the LastLogonTimeStamp attribute and its replication frequency (14 days) see this TechNet article.
This HTA will not only show you your unused accounts, but will let you save it in a spreadsheet, selectively disable, enable, or delete the accounts, and let you save your changes to a spreadsheet. Just for reference you can also find this script in the Microsoft Scripting Guys’ Script Repository HERE. Don’t panic, I didn’t steal it; I submitted it to them to add to their community submitted scripts.
Hi Ryan,
You are so right that getting accurate last logon data from AD can be complicated.
The other day, while searching for a True Last Logon utility, I came across an awesome AD reporting tool called Gold Finger for AD. This little tool, designed by a Microsoft AD security expert had 400+ AD security reports built in, including FREE True Last Logon reports.
Thought you might find it useful as well, so figured I’d stop in and let you know about it. Gold Finger has been so helpful for us, in cleaning up our AD, finding stale accounts, enumerating group memberships, enumerating trusts etc.
If you have a minute, do check it out bro.
Thanks Marc! I will certainly check that out.
Hi , I’ve just tried this script, but cant seem to get it to run.( downloaded it from the scripting guys site) I resolved a couple of basic errors
line 215 missing _ at the end of the line
line 290 missing ” at the begining of the line
line 716 missing </ at the begining of the line
the next error seems to occur on line 637, the first enable button, but I cant seem to get past this one, any ideas ?
rgds
Chris
Hi Chris. I checked it out and you are correct about the errors you found. It turns out that it was some type of formatting error that occurred when I uploaded it to the Microsoft site. The issue with line 637 was that the input tag should have all been on one line and somehow the MS site split the line. That same code from the MS site was also what I had here on my blog. I dug around and found the original and posted it here, so just download it again from this post. Hopefully I caught all the formatting errors and they are fixed now.