Introduction
This script is basically used to search out and disable stale accounts. The code is fairly straightforward but uses a combination of the LDAP, WinNT and FSO to accomplish its goals. The attached document is a working script that should be run from an AD server while logged on as an administrator. All you need to do is enter your domain information in the variable declarations at the top. It will display a message asking if you want to disable the accounts and another message asking if you want to just save the output to a file.
Background
If your business is anything like mine, HR never tells you when a person is gone so running this script monthly can at least tell you when the last time they logged in was.
The Code
The main functions in this script are based off of ADSI and using the an LDAP object to query Active Directory. Since LDAP queries will only access a single Organizational Unit (OU), you have to recursively search all sub-folders in order to find all of the users.
First off, you need to set up a number of variables based off of your AD.
bDisable = 0
strFileName = "c:\users.tab"
strUserDN = "servername/OU=All Users, dc=yourdomain, dc=com"
strNewParentDN = "OU=Inactive Users, dc=yourdomain, dc=com"
strDomain = "yourdomain.com"
iDayThreshold = 180
These two simple functions can recursively find all of the users.
Function EnumOUs(sADsPath)
Set oContainer = GetObject(sADsPath)
oContainer.Filter = Array("OrganizationalUnit")
For Each oOU in oContainer
EnumUsers(oOU.ADsPath)
EnumOUs(oOU.ADsPath)
Next
End Function
Function EnumUsers(sADsPath)
Set oContainer = GetObject(sADsPath)
oContainer.Filter = Array("User")
For Each oADobject in oContainer
strOut = strOut & oADobject.Name & vbCrLf
Next
End Function
This will basically build a string
that has all of the users in it. However, instead of just building a string
, we can also get the lastLogon
property of each user. Once we have that, we can determine what we want to do with the users that haven't logged on in the given time frame.
Since the lastLogon
property is saved as an integer in LDAP, you have to collect the data as an object and convert it to a usable date value.
Set objLogon = oADobject.Get("lastLogon")
intLogonTime = objLogon.HighPart * (2^32) + objLogon.LowPart
intLogonTime = intLogonTime / (60 * 10000000)
intLogonTime = intLogonTime / 1440
intLogonTime = intLogonTime + #1/1/1601#
inactiveDays = Fix(Now() - intLogonTime)
Based off whatever logic you choose, you can then disable the accounts or move them to an "inactive users" folder or both. This function will move the user, then disable it.
Sub MoveUser(adsName, adsPath, adsSAM)
Set objUser = GetObject("LDAP://" & strNewParentDN)
objUser.MoveHere sPath, sName
Set objUser = GetObject("WinNT://" & strDomain & "/" & _
oADobject.sAMAccountName)
objUser.AccountDisabled = True
objUser.SetInfo
End Sub
Then, we can also use a FSO save the list of users that were disabled to a file if you want. This function takes the output string and saves it to a file.
Sub SaveToFile(strData)
Dim objFSO
Set objFSO = CreateObject("Scripting.FileSystemObject")
If objFSO.FileExists(strFileName) Then
Set objTextStream = objFSO.OpenTextFile(strFileName, 2)
objTextStream.Write strData
objTextStream.Close
Set objTextStream = Nothing
Else
Set objTextStream = objFSO.CreateTextFile(strFileName, True)
objTextStream.Write strData
objTextStream.Close
Set objTextStream = Nothing
End If
End Sub
Download a complete copy of the script here.
Points of Interest
I found various parts of this script on different web sites but never found anything to tie them all together. This combination of routines really gives some pretty good functionality for systems administrators to get rid of inactive users and to get a report on it too.