Tuesday, December 18, 2007

How to generate Dormant User ID Report for Windows?

Windows Active Directory Dormant ID Review

Some of you maybe as security administrator know and have the same experience that we should do dormant id review every month to maintenance our system and to ensure that our system is clean from dormant ID as recommended by IT auditor.

Usually, I have generated the report using DumpSec to produce windows ID report (truelastlogon) and review it whether any user id that never login below to 90 days (base on company policy) or over 90 days.

How can we easily review if we have thousand user id and several companies separately by organization unit (OU)?
For this reason, I have made clone DumpSec function (Dump Users as Table) using visual basic script (VBS) to access Windows Active Directory (ADSI) and exported to text file delimited format with tab.

The Advantage:

  1. With this script you can generate user list base on OU that you have specified
  2. If you have limited network connection between primary domain controller and backup domain controller and also you have many backup domain controller, this script will be generate report faster than DumpSec because the script will be collect information from specific domain controller name as your specified on the configuration header within the script.
How to using this script?
Please read the header script for more information.

Download script:
http://aarreessuu.googlepages.com/dormant-id-review.vbs

2 comments:

Unknown said...

Hi, your VBS is fantastic..., congratulations. But, I think the reconciliation dont work correctly ! :(
I try to enable the line "'adoCommand.Properties("Sort On") = "sAMAccountName"" but, didnt work. Can you help-me ?! :D

4Rider said...

great script.....and a question from a VBS newbie:
what is the correct variable format for:
arrstrDCs="domaincontroller-servername1|domaincontroller-servername2"
strDNSDomain = "OU=Users and Groups,DC=your-subdomain,DC=your-topdomain"

I tried using actual DC names inleu of domaincontroller-servername1|domaincontroller-servername2"
and got message "Domain Controller not available: actual DC name"
I also get error:"(240, 2) Microsoft VBScript runtime error: Bad file name or number"

Thanks for your help,

Victor