NOTE: The tip has been superseded by How can I report all inactive user accounts, and optionally disable them, even if I have multiple domain controllers?



Using DSQUERY, DSGET, and DSMOD (See DSADD for parameters), I have scripted Inactive.bat to report on all user accounts that have been inactive a specified number of weeks, and optionally set them to disabled. The user accounts must have a last name.

The syntax for using Inactive.bat is:

Inactive weeks \[/D\]

where weeks is the number of weeks since the user last logged onto the domain, a number from 0 through 999, and /D is an optional parameter that will cause all reported inactive user accounts to be disabled.

NOTE: If weeks is 0, no user accounts will be disabled.

NOTE: Inactive.bat creates an Inactive.txt file in the current directory.

NOTE: The lastLogin attribute is only replicated to Windows Server 2003 DCs, so if you have any Windows 2000 DCs, you will have to modify the script to run on each of them.

Inactive.bat contains:

@echo off                              if \{%1\}

\{\} @echo syntax: Inactive weeks /D&goto :EOF if not \{%2\}

\{\} if /i \{%2\} NEQ \{/D\} @echo syntax: Inactive weeks /D&goto :EOF setlocal set /a weeks=1000%1%%1000 set Disable=N if not \{%2\}==\{\} set Disable=%2 if exist Inactive.txt del /q Inactive.txt for /f "Tokens=*" %%u in ('dsquery user domainroot -inactive %weeks% -limit 0') do set UDN=%%u&call :ina endlocal goto :EOF :ina set LN= for /f "Skip=1 Tokens=*" %%i in ('dsget user %UDN% -ln') do if /i "%%i" NEQ "dsget succeeded" set LN=%%i# set LN=%LN: #=% set LN=%LN: #=% set LN=%LN:#=% if \{%LN%\} EQU \{\} goto :EOF if /i "%Disable%" NEQ "/D" goto report if %weeks% EQU 0 goto report call :disa>nul 2>&1 if %ERRORLEVEL% EQU 0 goto report @echo %UDN% failed to disable.>>Inactive.txt goto :EOF :report @echo %UDN%>>Inactive.txt goto :EOF :disa dsmod user %UDN% -disabled yes