The email
From: xxx
Sent: Monday, December 22, 2008 8:04 AM
To: support@joeware.net
Cc: joe@joeware.net
Subject: Query – Inactive domain users accounts?Hi Joe,
This is Turab from Bombay – INDIA. I am working as a System Administrator. I am looking for a tool or script which will help me to find out "inactive domain user accounts". I have windows 2003 DC servers and Exchange 2003 servers. The setup is huge. The total user force in the domain would be 22,000 plus across the domain.
I found your tool "OldCmp". I gave the following syntax:
oldcmp -report -users -b dc=rallencorp,dc=com -s subtree -llts -age 90and got error as follows:
C:\>oldcmp -report -users -b dc=rallencorp,dc=com -s subtree -llts -age 90
OldCmp V01.05.00cpp Joe Richards (joe@joeware.net) December 2004
Processed at XYZ-DC-001.xxxx.abc.com
Default Naming Context: DC=xxxx,DC=abc,DC=comWARN: Domain not in Windows Server 2003 Domain Mode, lastLogonTimestamp not available,
WARN: Using pwdLastSet instead.
ldap_get_next_page_s: [XYZ-DC-001.xxxx.abc.com] Error 0xa (10) – ReferralSearch completed…
Creating Report File: oldcmp.20081222-181448.htmCommand completed successfully
C:\>AUTOEXEC.BAT-sh
‘AUTOEXEC.BAT-sh’ is not recognized as an internal or external command,
operable program or batch file.C:\>
My main query is to find out list of inactive domain user accounts or the users who have not logged in last 90-days and more! Hope to have a prompt reply.
Happy Holidays!
Merry Christmas and Happy New Year!Turab.
xxxps: Following is the contents of the htm report generated…
THE REPORT GENERATED BY OLDCMP UTILITY.
2008/12/22-18:14:48
Generated by OldCmp V01.05.00cpp – http://www.joeware.net
——————————————————————————–
Search Start Time 2008/12/22-18:14:48
Search Finish Time 2008/12/22-18:14:55
Host Name XYZ-DC-001.xxxx.abc.com
Directory Type Windows Server 2003
Forest DC=abc,DC=com
Forest Mode Windows 2000 Mixed Forest Mode
Domain DC=xxxx,DC=abc,DC=com
Domain Mode Windows 2000 Mixed Mode
Search Scope subtree
Search Base dc=rallencorp,dc=com
Search Filter (&(samaccounttype=805306368)(pwdLastSet<=128666474886020000))
DN Exclusions
Age (days) 90
Old Age Date 2008/09/23-18:14:48
Old Age Date (Int8) 128666474886020000
Max Age (days) 0
Max Old Age Date 0000/00/00-00:00:00
Max Old Age Date (Int8) 0
Action REPORT
Stamp accountExpires FALSE
Safety Setting 10
For Real Setting FALSE——————————————————————————–
Color Legend
RED indicates disabled object
GREEN indicates Domain ControllerDN cn displayName sAMAccountName pwdLastSet pwage whenCreated accountExpires userAccountControl
The response
From: joe [mailto:joe@joeware.net]
Sent: Monday, December 22, 2008 11:08 AM
To: xxx
Subject: RE: Query – Inactive domain users accounts?Well 22,000 isn’t really all that huge. That would fit nicely in the medium sized business. I would say very large starts around 250,000 or so. 🙂
So you have two main problems in the command.
The first is that you are specifying a BASE with the -b switch that doesn’t exist.. rallencorp.com is the test domain of my friend and co-author, Robbie Allen. He used that as an example in several books and articles. I would just cut the -b switch out completely as oldcmp should figure out what your domain is automatically.
The second is that you are using the -llts switch and your domain is not in Windows Server 2003 domain functional mode. It is ok, the program is smart enough to figure that out and cancels out the switch for you but if you don’t want to see the error, don’t add that switch.
So not the last thing isn’t really a problem, just unneeded. The switch -age 90 is not needed because the default aging value is already 90 days. So if you just change this command to be
oldcmp -report -users
you will likely accomplish what you are looking to accomplish. ;o)
Note that there is some basic usage in the tool itself. If you type oldcmp /? you will see it.
joe
—
O’Reilly Active Directory Fourth Edition – http://www.joeware.net/win/ad4e.htm
Man, the number of times I need to correct ppl from using “dc=rallencorp,dc=com” as their search base in a given week… 🙂
I have actually thought about putting in a code branch for someone who enters that value and maybe respond with an error message.
I suspect dc=contoso,dc=com might also have cropped up here and there too.
Why not just buy rallencorp.com and put up an open domain controller with Everyone\Full Control?