As mentioned by others you need to define what is inactive. Some folks will
simply say if an account has a password expired more than x days is
inactive, for others that may not be optimal. Some folks say if the account
hasn't been logged into in more than X days is inactive. If you have
Exchange m
cated? Since disabling the account would only affect the ability to
authenticate (not including any external logic or process built on accountstatus), I'm curious what other ways you would show account inactivity if notby lastlogon or lastlogontimestamp?Thanks,
Jef___________
Ahhh...I thought you were aluding to some magical attribute in the 3rd dimension I did not know about in the Directory. :)
Yes, I agree, Process and policy needs to govern activity not just what the directory reports. :)
Thanks,
Jef
> Subject: RE: [ActiveDir] automatic account disa
m: [EMAIL PROTECTED] on behalf of Jef Kazimer
Sent: Wed 4/19/2006 2:37 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] automatic account disable
I'm curious, how would you show activitity other than the last time the user
authenticated? Since disabling the account would only affect
ow account inactivity if not by lastlogon or lastlogontimestamp?
Thanks,
Jef
> Subject: RE: [ActiveDir] automatic account disable> Date: Wed, 19 Apr 2006 14:25:24 -0700> From: [EMAIL PROTECTED]> To: ActiveDir@mail.activedir.org> > Still, there is nothing "automatic"
about
Yesterday? -anon
From: [EMAIL PROTECTED] on behalf of Al Mulnick
Sent: Wed 4/19/2006 1:13 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] automatic account disable
LOL. You're right, it is often advisable to disable first. I got caught up
in the moment ;)
Myke, there wa
TECTED]] On Behalf Of Al MulnickSent: 19 April 2006 15:52
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] automatic account disable
It's possible. What's your criteria?
DSQUERY, DSMOD are two tools that are touted as being able to do this pretty easily. Joeware to
Myke,
You could write a script to do such a thing I suppose. Something to the effect of if lastLogonTimeStamp value is greater than 180 days, disable account kind of thing.
We utilize MIIS in house for this and for SOX deactivations, but it is certainly something you could write a script or
2006 15:52To:
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] automatic
account disable
It's possible. What's your criteria?
DSQUERY, DSMOD are two tools that are touted as being able to do this
pretty easily. Joeware tools are better (http://www.joeware.net ) for this task IMHO
What criteria are you using to determine that a user is inactive?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Myke
Sent: Wednesday, April 19, 2006 8:39 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] automatic account disable
hi guys,
it's
Third-party.
Sincerely,
_
(, / | /) /) /)
/---| (/_ __ ___// _ // _
) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)
(/
Microsoft MVP - Directory
one of the tools that could help you with that is OLDCMP from Joeware.net. But
first you need to define for your own what the defintion is of "period of
inactivity and how long".
Search the archives as previous threads are available that also mention the
deprovisioning of accounts.
cheers,
j
It's possible. What's your criteria?
DSQUERY, DSMOD are two tools that are touted as being able to do this pretty easily. Joeware tools are better (http://www.joeware.net ) for this task IMHO. Scripts, etc can also be used successfully.
Al
On 4/19/06, Myke <[EMAIL PROTECTED]> wrote:
hi gu
13 matches
Mail list logo