locked
AD Users Disabled Date RRS feed

  • Question

  • I have around 200 disconnected AD users from their mailboxes.  I want to delete these mailbox disconnected AD user Accounts which are older than one year.  I checked the Object tab of these disabled/disconnected users in AD and they all show different dates. 

    Is there a way/script that I can use to export out list of these disabled/disconnected AD users which are disabled for more than a year? 

    Thanks!

    Tuesday, October 30, 2012 2:10 PM

Answers

  • The date on the Object tab of ADUC corresponds to the whenChanged attribute. This is the date/time when the last change was made to the object. This is probably the date when the account was disabled, assuming that no other changes have been made since then. You can use dsquery at the command line of a domain controller to retrieve the distinguished names of all disabled user objects with whenChanged before any specified date. For example (this is one line, so watch line  wrapping):

    dsquery * -filter "(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2)(whenChanged<=20111030000000.0Z))"

    -----

    The date is in the format YYYYMMDDhhmmss.0Z. Maybe someone else can address disconnected mailboxes. I don't know how to check for that.


    Richard Mueller - MVP Directory Services



    • Proposed as answer by Awinish Tuesday, October 30, 2012 2:57 PM
    • Edited by Richard MuellerMVP Tuesday, October 30, 2012 3:00 PM fixed date to one year ago
    • Marked as answer by pbbergs [MSFT] Thursday, November 1, 2012 11:51 AM
    Tuesday, October 30, 2012 2:44 PM
  • How to find inactive and disabled users in AD
    http://social.technet.microsoft.com/Forums/eu/winserverDS/thread/186b3736-6549-4ebc-bf1b-14884c2c95a9

    Dsquery command to find inactive domain users
    http://social.technet.microsoft.com/Forums/nl/winserverDS/thread/e64b0946-ac72-42df-bf83-ea0555b726bc

    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    • Marked as answer by Andy Qi Thursday, November 8, 2012 11:05 AM
    Tuesday, October 30, 2012 2:45 PM
  • Hi,

    I agree with others , they have provided the right suggestions to your question, we could refer to the thread they provided to query the disabled user. In addition, we could refer to the following article for detailed information about Dsquery.

    Dsquery user

    http://technet.microsoft.com/en-us/library/cc725702(v=ws.10).aspx

    Best Regards,

    Andy Qi

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.

    • Marked as answer by Andy Qi Thursday, November 8, 2012 11:05 AM
    Thursday, November 1, 2012 5:58 AM

All replies

  • The date on the Object tab of ADUC corresponds to the whenChanged attribute. This is the date/time when the last change was made to the object. This is probably the date when the account was disabled, assuming that no other changes have been made since then. You can use dsquery at the command line of a domain controller to retrieve the distinguished names of all disabled user objects with whenChanged before any specified date. For example (this is one line, so watch line  wrapping):

    dsquery * -filter "(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2)(whenChanged<=20111030000000.0Z))"

    -----

    The date is in the format YYYYMMDDhhmmss.0Z. Maybe someone else can address disconnected mailboxes. I don't know how to check for that.


    Richard Mueller - MVP Directory Services



    • Proposed as answer by Awinish Tuesday, October 30, 2012 2:57 PM
    • Edited by Richard MuellerMVP Tuesday, October 30, 2012 3:00 PM fixed date to one year ago
    • Marked as answer by pbbergs [MSFT] Thursday, November 1, 2012 11:51 AM
    Tuesday, October 30, 2012 2:44 PM
  • How to find inactive and disabled users in AD
    http://social.technet.microsoft.com/Forums/eu/winserverDS/thread/186b3736-6549-4ebc-bf1b-14884c2c95a9

    Dsquery command to find inactive domain users
    http://social.technet.microsoft.com/Forums/nl/winserverDS/thread/e64b0946-ac72-42df-bf83-ea0555b726bc

    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    • Marked as answer by Andy Qi Thursday, November 8, 2012 11:05 AM
    Tuesday, October 30, 2012 2:45 PM
  • Hi,

    I agree with others , they have provided the right suggestions to your question, we could refer to the thread they provided to query the disabled user. In addition, we could refer to the following article for detailed information about Dsquery.

    Dsquery user

    http://technet.microsoft.com/en-us/library/cc725702(v=ws.10).aspx

    Best Regards,

    Andy Qi

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.

    • Marked as answer by Andy Qi Thursday, November 8, 2012 11:05 AM
    Thursday, November 1, 2012 5:58 AM