NOTE: The tip has been superseded by How can I report all inactive user accounts, and optionally disable them, even if I have multiple domain controllers?



Using DSQUERY, DSGET, and DSMOD (See DSADD for parameters), I have scripted Inactive.bat to report on all user accounts that have been inactive a specified number of weeks, and optionally set them to disabled. The user accounts must have a last name.

The syntax for using Inactive.bat is:

Inactive weeks \[/D\]

where weeks is the number of weeks since the user last logged onto the domain, a number from 0 through 999, and /D is an optional parameter that will cause all reported inactive user accounts to be disabled.

NOTE: If weeks is 0, no user accounts will be disabled.

NOTE: Inactive.bat creates an Inactive.txt file in the current directory.

NOTE: The lastLogin attribute is only replicated to Windows Server 2003 DCs, so if you have any Windows 2000 DCs, you will have to modify the script to run on each of them.

Inactive.bat contains:

@echo off
if \{%1\}<h1><a name="_echo_syntax_Inactive_weeks_D_amp_goto_EOF_if_not_2_">\{\} @echo syntax: Inactive weeks /D&goto :EOF
if not \{%2\}</a></h1>\{\} if /i \{%2\} NEQ \{/D\} @echo syntax: Inactive weeks /D&goto :EOF
setlocal
set /a weeks=1000%1%%1000
set Disable=N
if not \{%2\}==\{\} set Disable=%2
if exist Inactive.txt del /q Inactive.txt
for /f "Tokens=*" %%u in ('dsquery user domainroot -inactive %weeks% -limit 0') do set UDN=%%u&call :ina
endlocal
goto :EOF
:ina
set LN=
for /f "Skip=1 Tokens=*" %%i in ('dsget user %UDN% -ln') do if /i "%%i" NEQ "dsget succeeded" set LN=%%i#
set LN=%LN:  #=%
set LN=%LN: #=%
set LN=%LN:#=%
if \{%LN%\} EQU \{\} goto :EOF
if /i "%Disable%" NEQ "/D" goto report
if %weeks% EQU 0 goto report
call :disa>nul 2>&1
if %ERRORLEVEL% EQU 0 goto report
@echo %UDN% failed to disable.>>Inactive.txt
goto :EOF
:report
@echo %UDN%>>Inactive.txt
goto :EOF
:disa
dsmod user %UDN% -disabled yes