-
Introduction
-
Requirements
-
Installation
-
Licensing and Registration
-
Using Inactive Computers
-
Scanning Active Directory for Inactive Computers
-
Managing Inactive Computers
-
Command Line Options
-
Working with Multiple
Domains
-
Inactive Users for AD vs.
Inactive Users 2003
Inactive Users for Active Directory is
Information Security Software that will scan Active Directory for inactive user
accounts, then move or disable them.
- Search Active Directory by name
and/or container
- Specify the number of days
inactive
- All domain controllers are
scanned for Last Logon Date
- Users that have never logged
on are also identified
- Easy to automate using
command line parameters
- Windows®
XP or Server 2000/2003 is required on the
system where Inactive
Users for Active Directory
is executed
- Microsoft®
Directory
Services is required. All user accounts must be a
member of the same Active Directory Domain.
- Account Operator rights to Active Directory is required.
Copy the executable (INACTIVE-USERS.EXE) to a dedicated folder on your
computer and launch it.
Inactive Users for Active Directory (product) is licensed per
Systems Administrator. Please review the End User License Agreement
for
details.
To register Inactive Users for Active Directory, copy the
registration file sent to you by
Absolute Dynamics to the same folder as INACTIVE-USERS.EXE. When the
executable is launched, the product will automatically be registered.
Absolute Dynamics provides the following benefits to our
customers:
- E-mail support
- Elimination trial version
limitation
- Additional licenses can be purchased at anytime
- Input into the future design all Absolute Dynamics products
- Free upgrades for the first year
Inactive Users for Active Directory is
very powerful. USE WITH CAUTION!
Disabling users accounts will break domain logons.
Usage Tip: Use this utility
to move and disable inactive users to an empty container, then use Active Directory Users and
Computers to delete the user accounts at a later date.
By default, Inactive Users for
Active Directory will search all users from the root of the current domain
that you are logged on.
Search Filter: You
can specify a user name (samAccountName) search filter in the first field
above. If you enter A, all usernames beginning
with the letter A will be scanned. If you enter *A,
all usernames containing the letter A will be
scanned. By default all usernames are scanned.
Start Path: You
can also change the start path of the search by selecting a
container from the list. The selected container and
all sub-containers will be scanned for inactive users.
Days Inactive: Enter
the number of days the user has been inactive. Each
domain controller is scanned to determine the last logon
date. The last logon date is used to calculate the
number of days since the last successful authentication.
Once you've
found the list inactive users based on your search criteria. You're
presented with the following options: (click the graphic below to enlarge)
Remove from List: The
selected user will be removed from the list. It is
not removed from Active Directory, just the list of
users you are working with. It's important to
carefully review the list and remove users that you
don't want processed.
Open CSV:
Opens a CSV file containing the information in the list.
Move: Prompts
for a destination container. Moves all of the
users in the list to the destination container.
Disable: Disables
all of the user accounts in the list.
Enable:
Enables all
of the user accounts in the list.
Once an action is
taken to Move, Disable or Enable, a status bar will
keep you updated with the progress. Once completed, a
HTML report is displayed with the results.
Inactive Users for Active Directory
supports command line options and can be automated using a
Task Scheduler.
Inactive Users for Active
Directory uses your existing
credentials when searching, modifying or administering
Active Directory user objects. To access other domains on
your network, right click INACTIVE-USERS.EXE and perform a RunAs command against the
executable, then specify the proper domain credentials.
Inactive Users for Active
Directory was the original release and was written for a
Windows 2000 Active Directory environment. It uses the lastLogon attribute
to calculate the number of days inactive. This attribute is replicated
across domain controllers. Therefore, each domain controller is scanned and the
latest logon date is obtained to get the true last logon.
Inactive Users 2003 was written specifically for Active
Directory running at a functional level of Windows 2003
(i.e. all domain controllers are running Windows 2003). Microsoft created a new
attribute in this version of the Active Directory schema named lastLogonTimestamp.
This attribute is replicated across domain controllers, therefore, only one
has to be scanned. This design allows Inactive Users 2003 to run much faster.
Another important difference is that since
lastLogonTimestamp is replicated, special safeguards needed to be put in place
so that users that logged in repeatedly over a short period of time did not
cause unnecessary replication traffic. For this reason, the lastLogonTimestamp
is updated only if the last update occurred a week or more ago. This means that
the lastLogonTimestamp attribute could be up to a week off in terms of accuracy
with a user's actual last logon. Ultimately, this shouldn't be a problem for
most situations because lastLogonTimestamp is intended to address the common
problem where administrators want to run a query and determine which users have
not logged in over the past 30 days or more. However, because of this you may
see variations in the results of each version.
Back to Top
|
