As mentioned by others you need to define what is inactive. Some folks will simply say if an account has a password expired more than x days is inactive, for others that may not be optimal. Some folks say if the account hasn't been logged into in more than X days is inactive. If you have Exchange mail resource accounts, this can be even more fun and I have yet to have seen a good solution which is foolproof without caveats based on the specific deployment.
Jorge mentioned my oldcmp tool (does users with -users switch) which is a generic ready built tool, I guess it is third party though I never thought of myself as a third party, I prefer the first party, that is where the cool people are. Since third party possibly I should speak of myself in third person... Well joe wrote the tool such that it will use pwdLastSet by default, that is one of the safer mechanisms across the board but again, may not be accurate for a specific deployment or specific accounts in a specific deployment. If your domain is in DFL2 you can use the -llts switch which will use the lastLogonTimeStamp for aging. The coolest part about oldcmp is that it gives you a decent output of what it wants to do or did and it has a ton of safeties in it so you don't completely cut your own feet off... joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myke Sent: Wednesday, April 19, 2006 10:39 AM To: [email protected] Subject: [ActiveDir] automatic account disable hi guys, it's possible to make a automatic lockout in user accounts by inactivity, or I need a third party tool? thanks Myke List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
