Using DSQUERY and DSMOD, and techniques from tip 8241 and tip 8244, I have scripted Inactive.bat to report all user accounts that have NOT logged on via any domain controller since a specified date. Inactive.bat can also  optionally disable these accounts.

The syntax for using Inactive.bat is:

Inactive YYYYMMDD \[/D\]

Where Inactive.bat will report all enabled accounts whose lastLogon date is earlier than YYYYMMDD, and /D is an optional parameter to disable these accounts.

Inactive.bat generates an Inactive.csv file, in the current directory, that contains the following information:

"distinguishedName","Last Log on YYYYMMDD","When Created YYYYMMDD","Was disabled Y or N"

where "Last Log on YYYYMMDD" can be "Never", and "Was disabled Y or N" will be a Y if the account was disabled when generating this Inactive.csv file. An entry in Inactive.csv might look like:

"CN=Test User,CN=Users,DC=JSIINC,DC=COM","20040113","20030427","N"
NOTE: If a user has never logged on, their account will only be reported if it was created before YYYYMMDD.

NOTE: The Administrator and IWAM_%ComputerName% accounts are never disabled.

NOTE: Inactive.bat calls CvtFileTime.bat, which must be located in a folder that is in your PATH.

Inactive.bat contains:

                              @echo off                              if \{%1\}

\{\} @echo syntax: Inactive YYYYMMDD \[/D\]&goto :EOF if not \{%2\}

\{\} if /i \{%2\} NEQ \{/D\} @echo syntax: Inactive YYYYMMDD \[/D\]&goto :EOF setlocal if exist Inactive.csv del /q Inactive.csv set work1=%1# if "%work1:~8,1%" NEQ "#" @echo syntax: Inactive YYYYMMDD \[/D\]&endlocal&goto :EOF set /a dte=%1 set Disable=N if not \{%2\}==\{\} set Disable=%2 if exist Inactive.csv del /q Inactive.csv for /f "Tokens=*" %%u in ('dsquery user domainroot -o DN -Limit 0') do ( call :ina %%u ) endlocal goto :EOF :ina set usr=%1 set usr=%usr:"=% set dis=N for /f "Skip=1 Tokens=*" %%i in ('dsget user "%usr%" -disabled^|findstr /V /I /C:"dsget"') do ( set dis=%%i ) if /i "%dis:~0,3%" EQU "yes" goto :EOF set dis=N set qry=dsquery * domainroot -filter "(&(objectCategory=Person)(objectClass=User)(distinguishedName=%usr%))" -attr lastLogon whenCreated set on=0 set whenymd=99999999 for /f "Tokens=*" %%s in ('dsquery server -O RDN') do ( for /f "SKIP=1 Tokens=1-3" %%a in ('%qry% -s "%%s"') do ( call :last %%a %%b ) ) Call CvtFileTime %on% DT set /a work1=%DT:~6,4%%DT:~0,2%%DT:~3,2% if "%DT%" EQU "Never" set work1=%whenymd% if %work1% GEQ %dte% goto :EOF if "%DT%" EQU "Never" set work1=Never :test if /i "%Disable%" NEQ "/D" goto report call :disa>nul 2>&1 if ERRORLEVEL 0 goto report @echo "%usr%" failed to disable.>>Inactive.csv goto :EOF :report @echo "%usr%","%work1%","%whenymd%","%dis%">>Inactive.csv goto :EOF :disa if /i "%usr:~0,16%" EQU "CN=Administrator" goto :EOF if /i "%usr:~0,8%" EQU "CN=IWAM_" goto :EOF dsmod user "%usr%" -disabled yes if ERRORLEVEL 0 set dis=Y goto :EOF :last set when=%2 set work1=%when:~6,4%%when:~0,2%%when:~3,2% if "%work1%" LSS "%whenymd%" set whenymd=%work1% if "%on%" LSS "%1" set on=%1