(untagged)

VBScript to Disable Old Accounts in Active Directory

Jesse Fatherree

0.00/5 (No votes)

4 Sep 2007

Searches a given OU for all users that haven't logged on in a given length of time. Then gives you the option to disable them and move them to a new folder.

Download script - 1.51 KB

Introduction

This script is basically used to search out and disable stale accounts. The code is fairly straightforward but uses a combination of the LDAP, WinNT and FSO to accomplish its goals. The attached document is a working script that should be run from an AD server while logged on as an administrator. All you need to do is enter your domain information in the variable declarations at the top. It will display a message asking if you want to disable the accounts and another message asking if you want to just save the output to a file.

Background

If your business is anything like mine, HR never tells you when a person is gone so running this script monthly can at least tell you when the last time they logged in was.

The Code

The main functions in this script are based off of ADSI and using the an LDAP object to query Active Directory. Since LDAP queries will only access a single Organizational Unit (OU), you have to recursively search all sub-folders in order to find all of the users.

First off, you need to set up a number of variables based off of your AD.

bDisable = 0      
'do you want to disable and move the accounts?
strFileName = "c:\users.tab"  
'the file where the tab delimited results are saved
strUserDN = "servername/OU=All Users, dc=yourdomain, dc=com"  
'initial OU where the users are located
'you can leave out the servername/ if you only have 1 domain controller
strNewParentDN = "OU=Inactive Users, dc=yourdomain, dc=com"           
'location where disabled users are moved to
strDomain = "yourdomain.com" 
'FQDN
iDayThreshold = 180
'number of days without logging in

These two simple functions can recursively find all of the users.

Function EnumOUs(sADsPath)
'recursively finds all of the OU's and users in the given AD path
Set oContainer = GetObject(sADsPath)
    oContainer.Filter = Array("OrganizationalUnit")
    For Each oOU in oContainer
        EnumUsers(oOU.ADsPath)
        EnumOUs(oOU.ADsPath)
    Next
End Function

Function EnumUsers(sADsPath)
'finds all of the users' last login time
Set oContainer = GetObject(sADsPath)
    oContainer.Filter = Array("User")
    For Each oADobject in oContainer
        strOut = strOut & oADobject.Name & vbCrLf
       'you can put other things here depending on what you want to do
    Next
End Function

This will basically build a string that has all of the users in it. However, instead of just building a string, we can also get the lastLogon property of each user. Once we have that, we can determine what we want to do with the users that haven't logged on in the given time frame.

Since the lastLogon property is saved as an integer in LDAP, you have to collect the data as an object and convert it to a usable date value.

'for each user object, oADobject find the last logon
    Set objLogon = oADobject.Get("lastLogon")
    intLogonTime = objLogon.HighPart * (2^32) + objLogon.LowPart 
    intLogonTime = intLogonTime / (60 * 10000000)
    intLogonTime = intLogonTime / 1440
    intLogonTime = intLogonTime + #1/1/1601#
    inactiveDays = Fix(Now() - intLogonTime)

Based off whatever logic you choose, you can then disable the accounts or move them to an "inactive users" folder or both. This function will move the user, then disable it.

Sub MoveUser(adsName, adsPath, adsSAM)
'adsName is the CN of the object - CN=Some Guy
'adsPath is the full DN path - LDAP://cn=Some Guy, 
'OU=All Users, DC=yourdomain, DC=com
'adsSAM is the unique object name (their username) - someguy
'moves the user from the given OU to a new OU
    Set objUser = GetObject("LDAP://" & strNewParentDN)
    objUser.MoveHere sPath, sName

'then disable the user
    Set objUser = GetObject("WinNT://" & strDomain & "/" & _
        oADobject.sAMAccountName)
    objUser.AccountDisabled = True
    objUser.SetInfo
End Sub

Then, we can also use a FSO save the list of users that were disabled to a file if you want. This function takes the output string and saves it to a file.

Sub SaveToFile(strData)
'create a FSO
    Dim objFSO
    Set objFSO = CreateObject("Scripting.FileSystemObject") 
'if the file exists already open it for writing

    If objFSO.FileExists(strFileName) Then
        Set objTextStream = objFSO.OpenTextFile(strFileName, 2)
  
            objTextStream.Write strData
            objTextStream.Close
        Set objTextStream = Nothing
'otherwise, create the file and write the data
    Else
        Set objTextStream = objFSO.CreateTextFile(strFileName, True)  
            objTextStream.Write strData
            objTextStream.Close
        Set objTextStream = Nothing
    End If
End Sub

Download a complete copy of the script here.

Points of Interest

I found various parts of this script on different web sites but never found anything to tie them all together. This combination of routines really gives some pretty good functionality for systems administrators to get rid of inactive users and to get a report on it too.

License

This article has no explicit license attached to it but may contain usage terms in the article text or the download files themselves. If in doubt please contact the author via the discussion board below.

A list of licenses authors might use can be found here