I was just wondering what people are doing to disable user accounts in AD that haven't been used for a given period (say 90 days) We currently use the output of a dsquery command to get "inactive" users from our main user OU, and disable those that are inactive for 13 weeks. Works like a charm, but not w/o some problems. The main one seems to be that logging into OWA is not enough to reset whatever parameter dsquery user -inactive uses; so a remote user who just uses OWA can login to check mail everyday, but if they don't actually login to the network, then after 90 days, their accounts will be disabled.Solutions we're considering:Changing parametr to the lastlogon or lastlogonTimeStamp for the user account. I can script around the inherent issues with these (lastlogon isn't a replicated field, lastlogonTimeStamp is only replicated every 14 days, etc), but I still need to test to see if this has the same issue that the dsquery search has with OWA-Changing parameter to date password last changed. Not sure about this one, I need to research how OWA people are currently changing their passwords, and at what time interval we're talking about. Anyone use this on?- putting OWA users in a separate OU, outside of the process. This would work, but I'd have a couple issues with it; namely, they'd be outside of the security process, so how do we deal with inactive OWA-only users, and how do we identify OWA users?I'm certainly open to suggestions you guys might have, as well!-e Eric

Hello, From the description, some remote users used to log into OWA in last 90 days. However, the INACTIVE query still lists the user and consider it not logged in the last 90 days. In a WindowsServer2003 domain functional level domain, the INACTIVE query reads the value stored in the user's "lastLogonTimeStamp" attribute and compares it to the current system time. However, some of the logon attempts might not update the LastLogonTimestamp such as users logging on to IIS or OWA via extranet. To achieve the goal, you may refer to the following workaround. 1. You may have a test to verify whether the Lastlogon is updated when a user access OWA. Though it is not replicated between domain controllers in a domain, we still can count on scripts to get the user last logon time on the authenticator DC by comparing the Lastlogon attribute on all DCs in the domain (getting the latest time). 2. According to your considered solutions 2 and 3, what about the combination of them? - You have separate OUs for normal users (interactively logons) and OWA only users. - For normal users, perform INACTIVE query to detect stale accounts. - For and OWA only users, just wait for password expired. Then query the users account that has the expired password. In Windows Server 2008 domain, you can count on Fine Grained Password Policy to define a specific password expire interval (in password policy) for OWA only users to fulfill the management policy. For your reference: How the Data Store Works--->Stale Account Detection http://technet2.microsoft.com/windowsserver/en/library/54094485-71f6-4be8-8ebf-faa45bc5db4c1033.mspx Last-Logon-Timestamp Attribute http://msdn.microsoft.com/en-us/library/ms676824.aspx ms-DS-Logon-Time-Sync-Interval Attribute http://msdn.microsoft.com/en-us/library/ms677437(VS.85).aspx If you have any questions or concerns, please do not hesitate to let me know.

Definitely some good reading there.....now I'm being asked the same thing about computer accounts. I find that some information I read indicates that -inactive is based upon communication with the DC for the computer account, and some info points to this only happening when a user logs into the machine. I'm wondering if I should switch to using the date the computer accounts pw changes, for that as well. I'm going to go ahead and marked this answered, because you've definitely given me a better handle on the whole process. Thanks! Eric

Hi,Thanx for such a gr8 article.I want to deploy a group policy which will help me to find inactive users for 30 days and disable thier accounts.if anyone can help me with a script or any document !Thanks.