How to clean up dormant accunts in active directory
Implementation plan for cleaning up dormant accounts and inactive acounts in an active dierectory
Software/Hardware used:
Software/Hardware used:
ASKED:
April 13, 2008 10:36 PM
UPDATED:
March 1, 2012 2:23 AM
Answer Wiki:
You could use the queries tool in aduc to find accounts that have not been used for x amount of days and then use a dsquery string to disable those accounts.
I suppose it depends on the size of your organisation and how much user knowledge you have, as you have to think about the possibility of accidentally disabling then deleting a user account who is mearly on maternity leave of extended sickness.
One thing I think would be a good idea is to look for accounts dormant for more than 3 months say, disable them and then send an email to the head of department asking about the status of the user, if they've left then bingo delete it, if not leave it disabled, and always say in the email that if you dont hear anything back within 2 weeks then the account WILL be deleted (otherwise you know they will ignore your email).
To see all answers submitted to the Answer Wiki: View Answer History.
You may be able to cross-reference some of the accounts with human resources for terminated employees. It is important to consider that all of the domain controllers in the environment must be polled to determine the last log on time for a user. There are some tools that can automate the process such as DumpSec (http://www.somarsoft.com).
Netwrix has a small app (Inactive Users Tracker) that will aid in your situation.
RonniV is right, netwrix inactive users tracker should do the trick for you—it’s a very handy tool. The tool automatically detects, reports and deactivates all user accounts that have been inactive for a specified number of days. I know they also offer a freeware version that detects and reports on inactive accounts, but doesn’t automatically deactivate them.