Home / server / Questions / 126257
Accepted
Jason Taylor
Asked: 2010-03-26 07:11:04 +0800 CST

Quick-n-Easy way to remove outdated ActiveDirectory users?

  • 772

We have around 70 current employees, but 178 accounts in ActiveDirectory. The prior administrators never removed old accounts, and sometimes they weren't even disabled.

As it is, I am considering manually reviewing each account to determine if it can be removed. Is there an easier way to remove accounts based on a condition? Such as, remove (or at least disable or flag in some way) users that haven't logged in within the last month or so?

active-directory cleanup

3 Answers

  1. Best Answer

    You can use dsquery to locate inactive users:

    dsquery user -inactive 10 -limit 0

    Should return all users inactive for 10 weeks or more.

    From dsquery user /?

    ...
-inactive <NumWeeks>    Finds users that have been inactive
                        (not logged on) for at least <NumWeeks>
                        number of weeks.
...

    You can pipe the output into dsrm if you want to remove the listings from the domain. Please note this will not bother prompting you so apply the appropriate amount of caution.

    dsquery user -inactive 10 -limit 0 | dsrm -noprompt

    See this somewhat related question: Removing old computers on a domain

    • 5

  2. If you just run the dsquery in the context of a called batch file with more than one object selected from your dsquery, you'll get "dsmove failed (user) is an unknown parameter".

    I have two batches (one for computer accounts and one for user accounts) that run monthly from windows sch tasks. They have the following code:

    For Computers:

        for /f "Tokens=*" %%s in ('dsquery computer -inactive 5 -limit 0') do ( 
DSMOVE %%s -newparent "OU=Computers,OU=Quarantine,OU=MyOu,DC=MyDomain,DC=local" 
)

    For Users:

            for /f "Tokens=*" %%s in ('dsquery user -inactive 5 -limit 0') do ( 
DSMOVE %%s -newparent "OU=Users,OU=Quarantine,OU=MyOu,DC=MyDomain,DC=local" 
)

    I have GPOs applied to those "Quarantine" OUs that have logon prompts to notify the user that the user account, or the computer account, is going to be deleted and to contact the Help Desk if they believe that is in error. The GPOs also do some lock down actions. Then I review the moved objects for manually delete if I don't see any exceptions (like a user on a long vacation, or offline, but important server).

    You can change the "do" dsmove to dsrm, if you want to skip the OU move and review.

    See here: Active Directory Script: DSMOVE failed

    • 1

  3. If you are a fan of Powershell, I'd visit www.quest.com and use their suite of tools for Active Directory. They're free.

    PowerShell Commands for Active Directory

    The ActiveRoles Management Shell for Active Directory is a set of PowerShell commands that can be used to perform and automate administrative tasks like discovering the AD environment, changing user properties, modifying group membership, provisioning new user accounts, and performing multiple other tasks within Active Directory.

    • 0