Author: NetworkAdminKB.com
Created: 2010-01-13
Modified: 2010-01-21
Version: 1.9.52
The Disable Accounts utility can be used to do all of the following on Windows 2003 domains. This utility is untested on Windows 2000 and 2008 domains.
1) Disable computer and/or user accounts based on the following
a. Number of days since last logon, when the account has logged on at least once.
b. Number of days since account was created, when the account has never logged on.
2) Manage Disabled accounts
a. Disable accounts and move them to a specific OU. Existing disabled accounts that match criteria will be moved as well.
3) Create CSV or HTML reports on the following
a. Create a report on what accounts would be disabled without disabling them.
b. Report on the current disabled status of accounts.
c. Report on the last logon of accounts.
d. Report on accounts that have never logged on.
e. Report on accounts that have not logged on in xx amount of days.
4) When disabling or reporting on accounts you can specify the following.
a. All accounts in an OU or Domain
b. Exclude accounts from being disabled or reported on based on OU membership or samAccountName (aka: user id).
c. If an exclude file is specified, accounts that were excluded from processing are reported in a separate exclude report.
5) Obtain count of objects
a. Count number of users and/or computers in domain, OU or OU Tree
6) Create or use an XML database of accounts during processing
a. Use the XML database to protect against domain controllers not being available when disabling accounts.
b. Create an XML database to use in future processing as above, in other scripts, or import into a database server.
Requirements and Limitations
1) Disable Accounts will never disable or report on special system accounts these include.
a. Built-in Administrator
b. Built-in Guest
c. Domain Controllers
2) Permissions required
a. To run Disable Accounts the user account must be in the same forest as the domain you are attempting to manage accounts in. Users from an externally trusted domain can not query the Domain Controllers in the forest.
b. To run reports from Disable Accounts you need a regular user account.
c. To disable accounts you need the permissions to disable the accounts.
d. To move accounts you need appropriate permissions in the source and destination OUs.
e. Account Operator or Domain Admin permissions are generally recommended.
3) VB6 Runtime may be required on Windows 2000 or earlier OS.
Syntax:
DisableAccounts
{/u | /c | /a} {/days=xx /never[=xx]} [/ou=RDN] [/tou=RDN]
[/d=DomainName] [/o=[OutputPath]] [/r] [/e=ExcludeFile]
[/db=filename]
Purpose: Disable user and computer accounts based upon various criteria
Select between /u, /c, and /a
/u Disable user accounts.
/c Disable computer accounts.
/a Disable all types of accounts (user and computer).
Select either /days or /never or both
/days=xx Disable accounts that have not logged on in over xx days.
This ignores accounts that have never logged in.
/never[=xx] Disable accounts that have never logged on and, if specified, where
created over xx days ago.
Optional Settings
/ou=RDN Disable accounts in this RDN specified OU.
Example: /ou=OU=Accounts
/tou=RDN Move the disabled accounts to this Target RDN specified OU.
Example: /ou=OU=Disabled,OU=Accounts
/d=domain Specify the Domain containing the Target Accounts.
If omitted the Current (RootDSE) domain is used.
/r Report only. Do not actually disable the accounts.
/db=filename Specify a filename to use as a local database. This is useful
if one or more DC's are offline and LastLogon information may
not be available, in this case the local DB can provide the
missing information.
/e=ExcludeFile Specify the a file containing a list of samAccountNames or
the RND of OU's to exclude. (One samAccountName / OU per line.)
/o[=OutputPath] Specify the path and/or filename to direct output to.
(A path must end with '\')
Exmamples:
DisableAccounts /u /days=30
DisableAccounts /c /never /d=my.domain.com
DisableAccounts /a /days=30 /never=30 /d=my.domain.com
DisableAccounts /a /days=30 /never=30 /r /o=C:\Reports\file.htm
DisableAccounts /u /days=30 /r /o=C:\Reports\ /db=users.db /e=Exclude.txt
Sample ExcludeFile
user1
user2
CN=Users
CN=Computers
OU=Disabled,OU=Accounts
Notes: NT4 Domains/Connections are not supported
Example Output of DisableAccounts
C:\>disableaccounts /r /u /never /ou=”ou=my ou” /o
Author: NetworkAdminKB.com
Version: 1.9.52
Copyright (c) 2007-2009 NetworkAdminKB.com, All rights reserved.
Purpose: Disable Accounts in Active Directory.
Checking the following Domain Controllers
DC01.domain.local
DC02.domain.local
Obtaining last logon information from domain controller: DC01.domain.local
Obtaining last logon information from domain controller: DC02.domain.local
Reporting on Disabled Accounts as specified.
Total number of objects checked: 57
Logfile Date: 2009-11-21 16:21:37
Domain: domain.local
Total Accounts Reported: 7
| samAccountname |
LastLogon |
WhenCreated |
AccountDisabled |
Reason |
Location |
| User1 |
1601-01-01 |
2006-05-12 13:02:53 |
Report: False |
Disable all accounts that have never logged in (/never or /never=0) |
OU=My OU |
| User2 |
1601-01-01 |
2006-05-12 13:02:56 |
Report: False |
Disable all accounts that have never logged in (/never or /never=0) |
OU=My OU |
| User3 |
1601-01-01 |
2006-05-12 13:32:13 |
Report: False |
Disable all accounts that have never logged in (/never or /never=0) |
OU=My OU |
| User4 |
1601-01-01 |
2008-12-16 14:47:32 |
Report: False |
Disable all accounts that have never logged in (/never or /never=0) |
OU=My OU |
| User5 |
1601-01-01 |
2009-10-22 14:24:12 |
Report: False |
Disable all accounts that have never logged in (/never or /never=0) |
OU=My OU |
| User6 |
1601-01-01 |
2006-05-13 05:56:20 |
Report: False |
Disable all accounts that have never logged in (/never or /never=0) |
OU=My OU |
| User7 |
1601-01-01 |
2006-05-13 05:56:20 |
Report: False |
Disable all accounts that have never logged in (/never or /never=0) |
OU=My OU |
Using the database (/db) option
The ability to create and use a database file as another validation of the LastLogon can be very important for any automated process to disable accounts that you may implement.
Consider the following scenario. Company XYZ has three sites SiteA, SiteB, SiteC. UserA is located in SiteA that has one local DC. UserA never visits another office and therefore all login attempts are processed by the DC located at SiteA. You implement an automated process that automatically disables accounts that have not accessed the network in 90 days. The process runs from a server in SiteB. The process works well for a few months, but then the one day the WAN goes down to SiteA. UserA’s most recent LastLogon is only available on SiteA’s DC. DC’s in SiteB and SiteC, have login information for UserA, but it is older than 90day so it appears UserA has not logged in recently, and is account is disabled.
To prevent this type of scenario, a database can be create and used during the determination of whether an account is disabled. The database is essentially treated as another DC that as complete knowledge of the most recent LastLogon of all accounts on all DC’s. Thus, if one or more DC’s are not available users that have logged in recently are prevented from being disabled.
This solution will not protect accounts from being disabled under all circumstances. For example:
1) DC’s that are continually offline when the process runs will eventually cause the user data in the database to become out of date, and will cause accounts to be disabled.
2) Any account that was 1 day away from being disabled, would be disabled the next day if the DC that contained the account’s LastLogon was not available. If the DC was unavailable for 2 days, then accounts 2 days away would be disabled, and so on.
The key to any automated process being implemented is to make sure all the DC’s are available when the process runs. The database is just a short term solution that is meant to prevent accounts from being disabled because of a network outage or a DC failure, etc. As such it is your responsibility to put appropriate safe guards in check to prevent account’s from being disabled because a DC is not available.
Using the Disable Account Utility for HTML Reporting
Because the Disable Accounts utility can output HTML report files, you can configure the utility to run nightly on any Web Server and place its HTML reports in a folder used by a web site on the server. For example:
C:\>disableaccounts /r /u /days /ou=”ou=my ou” /o=c:\inetpub\wwwroot\disabledreports\
By not specifying a file name in the output path (/o switch) an HTML file similar to the following will be created: DisabledAccounts.yyyy-mm-dd_hh_mm_ss.htm.
If you specify an exclude input file (/e switch) an additional ExcludedAccounts.yyyy-mm-dd_hh_mm_ss.htm file is created as a history of accounts that were excluded from processing.
Using the /r switch, is a good way to automate nightly reports of accounts that need to be disabled, but allows the helpdesk or security personnel manually verify with users before disabling the accounts.
If you fully automate disabling of accounts then the HTML reports published on a web site would act as a history of the utilities activity.
Using the Disable Account Utility for CSV Reporting
If the /o switch is omitted the default is to display to the screen the results in a CSV format. However, because the Location OU may also contain commas, the format is fixed width as well.
To capture output to a file use redirection (>) to a file name.
C:\>disableaccounts /r /u /days /ou=”ou=my ou” >c:\myreports\disabledaccounts.txt
Using LDAP Distinguished Names
Most characters can be used in LDAP Distinguished Names (DN). However, some character must be escaped with the backslash "\" escape character. Active Directory requires that the following characters be escaped when used in DNs.
, \ # + < > ; " =
Leading or trailing spaces
Exmaples:
CN=Lastname\, First,OU=City\, State,DC=Domain,DC=Local
CN=User\#123,OU=City\+State,DC=Domain,DC=Local
A Relative Distinguished Names (RDN) does not include the DC components of the DN. Instead it only lists the container objects like OUs and CN=Users.
Examples
OU=City\, State
OU=City\+State
CN=Users
OU=Test Users,OU=City State
When providing RDN’s in the Exclude file (/e), and to the /ou or /tou switches be sure to enter the proper escape sequence for special characters. When using /ou and /tou, enclose any RDN that has a space in the name in quotes.
Use Active Directory users and Computers (ADUC) to verify the DN by adding the X500 Distinguished Name to the columns displayed in the search results of your domain. To verify the samAccountName you should add the Logon Name (pre-Windows 2000) column as well.
Download DisableAccounts
Article ID: 242, Created On: 9/18/2011, Modified: 9/29/2011