If whenCreated > 7 days and pwdLastSet = 0 then they haven't logged in yet...
Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kamlesh Parmar Sent: Monday, December 18, 2006 12:19 PM To: [email protected] Subject: [ActiveDir] Automatic user disable based on criteria Hi All, DFL & FFL : Win2k-Native DCs : Win2k3-SP1 User accounts are automatically provisioned as enabled with "Change Password at Next logon". And management wants to disable new accounts which have not logged into domain within next 7 days of creation. And they want it to happen automatically. I have problem at hand as I can't use LastLogonTimeStamp as DFL is not supportive. I can't connect to each DC and search for lastlogon as number of DCs are too large, can't go by "whenchanged", as that is generic attribute, which could get changed for any other attribute also. Any other attribute would help me? Currently LDAP filter checks for account created on specific day (say current day - 7) and whose "Change Password at next logon" is still ticked i.e. pwdlastset=0 But this doesn't take care of scenario, where users are created on that same day (current - 7) and logged into network, changed their password, but around the time of running script, had forgotten password and helpdesk had resetted their password and set "Change Password at next logon" I hope I am not confusing you all. :-) I know, simple solution would be to change criteria to say 15 days, raise DFL and use LLTS, but I am taking this as a scripting challenge at Win2k-native DFL. Hey joe, is there a way to see replication meta data using adfind? ;-) If yes, I could take a peek at originating date/time for attributes. -- Kamlesh ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ You teach best what you most need to learn. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
