Greg's Tech blog

Disabling Inactive Active Directory accounts

Wednesday 24 of December, 2008

We needed a method to disable inactive accounts in Active Directory. The DSQuery tool has an -inactive switch & DSMod can disable accounts. problem is they are all or nothing affairs. We needed a way to exclude some accounts (system accounts & other special cases).

We accomplished this by adding some flag text to the description of the special accounts. The following script will search for accounts that haven't been used in 4 weeks and if they don't have the flag in the description, will disable them.

@echo off
:: FindAgingAccts - GjM - 12/22/08
:: Use as you'd like, please attribute - thanks
:: Uses MS tools to locate inactive accounts and disable them
:: Accounts with !!Do Not Disable!! in the Description will not be disabled.
Set blatbin=c:\acc
set dsbin=c:\acc\ad
set SCRIPT_DIR=\data\dev\aging_accts

:: Set MODE=Prod inorder to disables accounts
set MODE=Test
set SKIP_FLAG=!!Do Not Disable!!

::Cleanup previous session
del results.txt
del action.log
del inaction.log
set ActCount=
set SkipCount=
set count=
copy inactive.old+inactive.txt inactive.tmp
del inactive.old
ren inactive.tmp inactive.old

::Locate old accounts
echo Starting automatic account maintenance
echo Querying inactive accounts
echo %Date% %Time% >inactive.txt
%dsbin%\dsquery user -inactive %INACTIVE_PERIOD% -limit 0  1>>inactive.txt 2>dsquery.err
if %errorlevel% NEQ 0 goto :ERR

::Count results
for /f "delims=? skip=1" %%a in (inactive.txt) do set /a count+=1 >nul
echo Inactive accounts to check: %count%

::Loop through the list of aging accounts and check their description
for /f "delims=? skip=1" %%a in (inactive.txt) do call :ChkUserStatus %%a
goto :SendReport
goto :EOF

:: Check description for flag that tells us not to disable
:: take action based on results
if %1=="" goto :EOF
for /f "delims=: tokens=2" %%b in ('%dsbin%\dsget user -desc -q -L %1') do (
	:: %%b contains the description from AD.  This line uses findstr to look for the FLAG in the description
	echo %%b |findstr /i /c:"%SKIP_FLAG%" >nul
	:: findstr returns errorlevel 1 if no match is found
		call :DisableAcct %1
	) ELSE ( 
		call :SkipAcct %1
goto :EOF

::Disable the account
echo %Date% %Time%, Disabling User, %1 >>action.log
set /a ActCount+=1
if %MODE%==Prod dsmod user -disabled yes %1
goto :EOF

::Log accounts not being disabled
echo %Date% %Time%, Account flagged, skipping User %1 >>inaction.log
set /a SkipCount+=1
goto :EOF

echo Mode is: %MODE%
echo DisabledAccounts: %ActCount%
echo SkippedAccounts: %SkipCount%
echo DisabledAccounts: %ActCount% >>results.txt
echo SkippedAccounts: %SkipCount% >>results.txt
echo Mode is: %MODE% >>results.txt
echo See inaction.log at \\exchmonitor\c$%WORK_DIR% >>results.txt
::Note: The following must all be on a single line
%blatbin%\blat results.txt -tf recips.txt 
   -subject "Automatic account maintenance" 
   -attacht %WORK_DIR%\results.txt -attacht %WORK_DIR%\action.log
   -server exch05.my.com -f admin@my.com
goto :EOF

echo Error retreiving inactive users
echo Error retreiving inactive users>>results.txt
goto :EOF


  • The ds* tools from Win2k3 server must be available in the path or as defined in dsbin
  • This script uses blat to send smtp mail. If you aren't aware of it search the web
  • You must set the MODE variable to Prod for the script to make changes to AD.
  • If you wish to use a different flag, modify the SKIP_FLAG variable