This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Community FAQ
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Inactive user accounts?

Go to solution
bdowell
Engaged Sweeper

‎08-07-2013 08:50 PM

I'd like to be able to pull a report showing inactive Windows domain users (inactive longer than 90 days) Is this possible?
Labels:
0 Kudos
1 ACCEPTED SOLUTION
Go to solution
Hemoco
Lansweeper Alumni

‎08-09-2013 06:26 PM

You can try the report below to list users:
- For whom no logon events have been detected.
- For whom the most recently detected logon occurred more than 90 days ago.
Select Top 1000000 tblADusers.Username,
tblADusers.Userdomain,
SubQuery1.Lastlogon
From tblADusers
Left Join (Select Top 1000000 tblCPlogoninfo.Username,
tblCPlogoninfo.Domain As Userdomain,
Max(tblCPlogoninfo.logontime) As Lastlogon
From tblCPlogoninfo
Group By tblCPlogoninfo.Username,
tblCPlogoninfo.Domain) SubQuery1 On SubQuery1.Username = tblADusers.Username
And SubQuery1.Userdomain = tblADusers.Userdomain
Where (SubQuery1.Lastlogon Is Null) Or
(SubQuery1.Lastlogon < GetDate() - 90)
Order By tblADusers.Userdomain,
tblADusers.Username

View solution in original post

12 REPLIES 12
Go to solution
bdowell
Engaged Sweeper

‎04-11-2014 10:38 PM

Back to looking at this again and thinking to ask is there no way to hide/deactivate users like can be done on assets? If I could do that, I think I'd be good for what I was looking for since it would seem to stop showing me information about the hidden/deactivated users.
0 Kudos
Go to solution
Hemoco
Lansweeper Alumni
In response to bdowell

‎04-18-2014 01:15 PM

bdowell wrote:
Back to looking at this again and thinking to ask is there no way to hide/deactivate users like can be done on assets? If I could do that, I think I'd be good for what I was looking for since it would seem to stop showing me information about the hidden/deactivated users.

You can't hide deactivated users. You can only delete them from your database with the cleanup options found in the Lansweeper web console under Configuration/Scanning Setup/Server Options. Cleanups are performed when the Lansweeper service is started and subsequently every 24 hours.
Go to solution
AdmJLovejoy
Champion Sweeper

‎04-05-2014 04:06 AM

I've had to use Exporter Pro along side of Lansweeper to scan AD where Lansweeper lacks in capability. You can pretty much pull any data that exists in the directory. User/Computer/OU/Sites/Site Links/Subnets,..etc... I setup a SQL job to run a script that kicks off Exporter Pro, and pull the results into a table to use in Lansweeper reports.

Until Lansweeper can grab more AD data, I know of no easier way to achieve this.

http://systemtools.com/exporter/index.html
Thanks, Jim Lovejoy __________________________________________________________________________________________________ James W. Lovejoy | IBM - Cloud Managed Services Delivery | Infrastructure Architect (Windows Server ...
0 Kudos
Go to solution
bdowell
Engaged Sweeper

‎03-28-2014 04:45 PM

Just realized that I have one more related question - is there a way to get a report that shows users that haven't changed password in some variable period of time? For example, can I get a report that shows users that haven't changed passwords in >= 60 days? (or 90, or whatever other period I need to check against)
0 Kudos
Go to solution
Hemoco
Lansweeper Alumni
In response to bdowell

‎03-28-2014 06:05 PM

bdowell wrote:
Just realized that I have one more related question - is there a way to get a report that shows users that haven't changed password in some variable period of time? For example, can I get a report that shows users that haven't changed passwords in >= 60 days? (or 90, or whatever other period I need to check against)

No, this is not possible unfortunately, as this information isn't scanned.
Go to solution
Hemoco
Lansweeper Alumni

‎03-27-2014 02:44 PM

Disabled domain accounts aren't actually scanned at the moment, so it wouldn't make sense to store the account status in the database. A disabled domain account can only be present in your database if it was enabled at some point. If you submit a new OU for Domain User Scanning and that OU contains users that are disabled, those users will not be scanned.

Scanning disabled domain accounts and storing the account status are features currently on our customer wish list, but we do not have a release date for them.
Go to solution
bdowell
Engaged Sweeper
In response to Hemoco

‎03-27-2014 04:19 PM

Lansweeper wrote:
Disabled domain accounts aren't actually scanned at the moment, so it wouldn't make sense to store the account status in the database. A disabled domain account can only be present in your database if it was enabled at some point. If you submit a new OU for Domain User Scanning and that OU contains users that are disabled, those users will not be scanned.

Scanning disabled domain accounts and storing the account status are features currently on our customer wish list, but we do not have a release date for them.

Thanks for the additional clarification.

Unfortunately for me, the accounts that are showing up as inactive were previously active and thus were previously scanned.

Our SOP calls for disabling rather than deleting old user accounts (which is fairly typical SOP, since deleting users deletes their previously granted access to storage locations, etc., while disabling them doesn't do that, so they can be brought back if an employee comes back, or they can be easily examined to determine groups they were members of so others can added to the same group, or they can be cloned, etc....) so we will likely always wind up with disabled users being created from previously enabled users.

We could delete the users (and break SOP) or we could instead just ignore the report which we'd rather not do. For now it seems we will need to manually filter the report.


On a related note, when we automate reports like this one and automatically mail them to appropriate parties, it looks like the reports are all or nothing in terms of mailing on a scheduled basis. It would be nice if we could send different reports on different schedules which would make this report a bit more useful or at least less annoying in its deficiencies 😉
0 Kudos
Go to solution
Hemoco
Lansweeper Alumni
In response to bdowell

‎03-28-2014 06:04 PM

bdowell wrote:
It would be nice if we could send different reports on different schedules

This feature is on our customer wish list, but we do not currently have a release date for it unfortunately.
Go to solution
Hemoco
Lansweeper Alumni

‎03-26-2014 05:58 PM

Lansweeper does not store an AD user's status (enabled/disabled) in the database, so you cannot include this information in your reports.

Reports & Analytics

Ask about reports you're interested in and share reports you've created. Subscribe to receive daily updates of reports shared in the Community.

New to Lansweeper?

Try Lansweeper For Free

Experience Lansweeper with your own data.
Sign up now for a 14-day free trial.

Try Now
Top