There are a lot of good products out there, but I've always preferred to script this type of automation so that I can remain flexible. This cleanup aspect is becoming an increasingly big part of identity lifecycle management products like Microsoft MIIS/ILM, which can tie into Active Directory and completely automate the entire process for you, if you aren't afraid of writing a little VB or C# code. Jamie Nelson | Infrastructure Consultant | BI&T Operations | Devon Energy | Work: 405.552.8054 | http://www.dvn.com -----Original Message----- From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of jfvanmeter@xxxxxxxxxxx Sent: Wednesday, June 25, 2008 3:03 AM To: gptalk@xxxxxxxxxxxxx; gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Finding active users The problem I've always had with finding active or enactive user accounts are: 1. Mac users that use Outlook for email, they have a valid user account, but they may never login, they only authinicated for the purpose of accessing there mailbox. 2. Service accounts There are alot of scripts you can write/download to query a DC for user information. http://www.microsoft.com/technet/scriptcenter/scripts/default.mspx?mfr=t rue that is only one site, google can really be your friend. I've never had a large budget so I've always had to do things on a shoe string. I'm currently covering most of my vbscripts to powershell or hta. The one thing that has helped me the most is to document any special accounts so when someone goes looking for inactive accounts they don't delete hundreds of Mac users or all of my service accounts. Take Care and Have Fun --John -------------- Original message ---------------------- From: "Ray Lewis" <ray@xxxxxxxxxxxxxxx> > Been down this road and tried a few different products myself. The > only one I found that didn't give me erroneous information was AD Janitor by Specops. > http://www.specopssoft.com/products/adjanitor/ > > > > > > _____ > > From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] > On Behalf Of Mike Johnston > Sent: 25 June 2008 03:29 > To: gptalk@xxxxxxxxxxxxx > Subject: [gptalk] Finding active users > > > > Howdy all... Our domain has kind of gotten out of control with users > coming and going and I'd like to get control of it. What is the best > way to build a list of current active users on my Windows 2003 domain? > We have many that haven't logged in for over 6 months so there > accounts are sitting and waiting for a password change. Is there a > way (or a script) that print out last long on or which accounts are > waiting for a password change? We don't expire our accounts, just the password. Any help would be great! > Confidentiality Warning: This message and any attachments are intended only for the use of the intended recipient(s), are confidential, and may be privileged. If you are not the intended recipient, you are hereby notified that any review, retransmission, conversion to hard copy, copying, circulation or other use of all or any portion of this message and any attachments is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, and delete this message and any attachments from your system. *********************** You can unsubscribe from gptalk by sending email to gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by logging into the freelists.org Web interface. Archives for the list are available at //www.freelists.org/archives/gptalk/ ************************