RE: Expire accounts from Active Directory after a period of inactivity

From: Geoff Craig <GCraig(at)quilogy.com>
Date: Thu Mar 20 2003 - 22:36:56 EST

Hey Matt,

I don't know of a third party app that can do this, but you could do it programmatically with WMI/ADSI. Every domain controller has an attribute called lastlogon. It is stored in a format that is not easily readable with a utility like LDP, but using this script from MSDN

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/script5 6/html/wsconwshwmi.asp

You get a value that I believe turns out something like this...

YYYYMMDDHHMMSS And then a . with some other numbers behind it. So, if you tweak this script and set the UserAccountControl attribute you can disable users. Please keep in mind that the lastlogon attribute is a NON-replicated attribute. So if you have a bunch of domain controllers you will need to check each one because they write this attribute independent of each other. In other words the lastlogon attribute is the last time they logged on and were authenticated by that domain controller.

Good Luck!

Geoff Craig
Quilogy

-----Original Message-----
From: Matt Grogan [mailto:mattgrogan@bnbbank.com] Sent: Thursday, March 20, 2003 9:06 AM
To: focus-ms@securityfocus.com

Hi,

I'm just wondering if anyone knows of a way to have Active Directory acounts
automatically disable if the account has not been logged onto for a specified period of time (say 30 days).

Thank you.

---

ALERT: How a Hacker Uses SQL Injection to Steal Your SQL Data! It's as simple as placing additional SQL commands into a Web Form input box giving hackers complete access to all your backend systems! http://www.spidynamics.com/mktg/sqlinjection33

---

ALERT: How a Hacker Uses SQL Injection to Steal Your SQL Data! It's as simple as placing additional SQL commands into a Web Form input box giving hackers complete access to all your backend systems! http://www.spidynamics.com/mktg/sqlinjection33 Received on Fri Mar 21 16:09:38 2003