Questions

How to disable a user account if it has not been used by a certain time?

+
0 Votes
Locked

How to disable a user account if it has not been used by a certain time?

bbnetman
I am wondering (as an added security layer or option) if in W2K3 Active Directory there is a way to automatically disable an account if it has not been accessed for a certain period of time? I know you can expire an account on a specified date but what about if a user is out and you want a way to automatically disable their account if they are not back in a certain number of days rather than having to do it manually.
  • +
    0 Votes
    faradhi

    The best way I found to perform this task is to use a script that checks the last login date of each account and disables the ones that have not logged in within the specified time frame.

    Here is a script sample I found on the internet. I cannot find the one I wrote for my previous position. But this should get you started.

    Hope this helps.

    ----start script---
    Dim dDate, oUser, oObject, oGroup
    Dim iFlags, iDiff, iResult
    Const UF_ACCOUNTDISABLE = &H0002

    'Point to group containing users to check
    Set oGroup = GetoObject("WinNT://MyDomain/Domain Users")

    'Enable error trapping
    On error resume Next

    'for each user object in the group...
    For each oObject in oGroup.Members

    'ensure the user isn't a computer account!
    If (oObject.Class="User") And _
    (InStr(oObject.Name, "$") = 0) Then

    'retrieve the user object
    Set oUser = GetoObject(oObject.ADsPath)

    'get the last login Date from the domain
    'and strip off the time portion
    '(just need the date)
    dDate = oUser.get("LastLogin")
    dDate = Left(dDate,8)
    dDate = CDate(dDate)

    'calculate how long ago that was in weeks
    iDiff = DateDiff("ww", dDate, Now)

    'more than six weeks since last login?
    If iDiff >= 6 Then

    'yes - get the user's flags
    iFlags = oUser.Get("UserFlags")

    'is the account already disabled?
    If (iFlags AND UF_ACCOUNTDISABLE) = 0 Then

    'no - disable it!
    oUser.Put "UseriFlags", iFlags OR UF_ACCOUNTDISABLE
    oUser.SetInfo
    End If
    End If
    End If
    Next
    WScript.Echo "All done!"

    --end script---

    +
    0 Votes
    otaku_lord

    I know that this was posted almost three years ago but I hope someone can answer a question for me... is this script safe to use and do I use it "as is?"

  • +
    0 Votes
    faradhi

    The best way I found to perform this task is to use a script that checks the last login date of each account and disables the ones that have not logged in within the specified time frame.

    Here is a script sample I found on the internet. I cannot find the one I wrote for my previous position. But this should get you started.

    Hope this helps.

    ----start script---
    Dim dDate, oUser, oObject, oGroup
    Dim iFlags, iDiff, iResult
    Const UF_ACCOUNTDISABLE = &H0002

    'Point to group containing users to check
    Set oGroup = GetoObject("WinNT://MyDomain/Domain Users")

    'Enable error trapping
    On error resume Next

    'for each user object in the group...
    For each oObject in oGroup.Members

    'ensure the user isn't a computer account!
    If (oObject.Class="User") And _
    (InStr(oObject.Name, "$") = 0) Then

    'retrieve the user object
    Set oUser = GetoObject(oObject.ADsPath)

    'get the last login Date from the domain
    'and strip off the time portion
    '(just need the date)
    dDate = oUser.get("LastLogin")
    dDate = Left(dDate,8)
    dDate = CDate(dDate)

    'calculate how long ago that was in weeks
    iDiff = DateDiff("ww", dDate, Now)

    'more than six weeks since last login?
    If iDiff >= 6 Then

    'yes - get the user's flags
    iFlags = oUser.Get("UserFlags")

    'is the account already disabled?
    If (iFlags AND UF_ACCOUNTDISABLE) = 0 Then

    'no - disable it!
    oUser.Put "UseriFlags", iFlags OR UF_ACCOUNTDISABLE
    oUser.SetInfo
    End If
    End If
    End If
    Next
    WScript.Echo "All done!"

    --end script---

    +
    0 Votes
    otaku_lord

    I know that this was posted almost three years ago but I hope someone can answer a question for me... is this script safe to use and do I use it "as is?"