→ Having trouble accessing our new support portal or creating a ticket? Please notify our team here

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
bdowell
Engaged Sweeper
I'd like to be able to pull a report showing inactive Windows domain users (inactive longer than 90 days) Is this possible?
1 ACCEPTED SOLUTION
Hemoco
Lansweeper Alumni
You can try the report below to list users:
- For whom no logon events have been detected.
- For whom the most recently detected logon occurred more than 90 days ago.
Select Top 1000000 tblADusers.Username,
tblADusers.Userdomain,
SubQuery1.Lastlogon
From tblADusers
Left Join (Select Top 1000000 tblCPlogoninfo.Username,
tblCPlogoninfo.Domain As Userdomain,
Max(tblCPlogoninfo.logontime) As Lastlogon
From tblCPlogoninfo
Group By tblCPlogoninfo.Username,
tblCPlogoninfo.Domain) SubQuery1 On SubQuery1.Username = tblADusers.Username
And SubQuery1.Userdomain = tblADusers.Userdomain
Where (SubQuery1.Lastlogon Is Null) Or
(SubQuery1.Lastlogon < GetDate() - 90)
Order By tblADusers.Userdomain,
tblADusers.Username

View solution in original post

12 REPLIES 12
bdowell
Engaged Sweeper
Back to looking at this again and thinking to ask is there no way to hide/deactivate users like can be done on assets? If I could do that, I think I'd be good for what I was looking for since it would seem to stop showing me information about the hidden/deactivated users.
Hemoco
Lansweeper Alumni
bdowell wrote:
Back to looking at this again and thinking to ask is there no way to hide/deactivate users like can be done on assets? If I could do that, I think I'd be good for what I was looking for since it would seem to stop showing me information about the hidden/deactivated users.

You can't hide deactivated users. You can only delete them from your database with the cleanup options found in the Lansweeper web console under Configuration/Scanning Setup/Server Options. Cleanups are performed when the Lansweeper service is started and subsequently every 24 hours.
AdmJLovejoy
Champion Sweeper
I've had to use Exporter Pro along side of Lansweeper to scan AD where Lansweeper lacks in capability. You can pretty much pull any data that exists in the directory. User/Computer/OU/Sites/Site Links/Subnets,..etc... I setup a SQL job to run a script that kicks off Exporter Pro, and pull the results into a table to use in Lansweeper reports.

Until Lansweeper can grab more AD data, I know of no easier way to achieve this.

http://systemtools.com/exporter/index.html
Thanks, Jim Lovejoy __________________________________________________________________________________________________ James W. Lovejoy | IBM - Cloud Managed Services Delivery | Infrastructure Architect (Windows Server ...
bdowell
Engaged Sweeper
Just realized that I have one more related question - is there a way to get a report that shows users that haven't changed password in some variable period of time? For example, can I get a report that shows users that haven't changed passwords in >= 60 days? (or 90, or whatever other period I need to check against)
Hemoco
Lansweeper Alumni
bdowell wrote:
Just realized that I have one more related question - is there a way to get a report that shows users that haven't changed password in some variable period of time? For example, can I get a report that shows users that haven't changed passwords in >= 60 days? (or 90, or whatever other period I need to check against)

No, this is not possible unfortunately, as this information isn't scanned.
Hemoco
Lansweeper Alumni
Disabled domain accounts aren't actually scanned at the moment, so it wouldn't make sense to store the account status in the database. A disabled domain account can only be present in your database if it was enabled at some point. If you submit a new OU for Domain User Scanning and that OU contains users that are disabled, those users will not be scanned.

Scanning disabled domain accounts and storing the account status are features currently on our customer wish list, but we do not have a release date for them.
bdowell
Engaged Sweeper
Lansweeper wrote:
Disabled domain accounts aren't actually scanned at the moment, so it wouldn't make sense to store the account status in the database. A disabled domain account can only be present in your database if it was enabled at some point. If you submit a new OU for Domain User Scanning and that OU contains users that are disabled, those users will not be scanned.

Scanning disabled domain accounts and storing the account status are features currently on our customer wish list, but we do not have a release date for them.

Thanks for the additional clarification.

Unfortunately for me, the accounts that are showing up as inactive were previously active and thus were previously scanned.

Our SOP calls for disabling rather than deleting old user accounts (which is fairly typical SOP, since deleting users deletes their previously granted access to storage locations, etc., while disabling them doesn't do that, so they can be brought back if an employee comes back, or they can be easily examined to determine groups they were members of so others can added to the same group, or they can be cloned, etc....) so we will likely always wind up with disabled users being created from previously enabled users.

We could delete the users (and break SOP) or we could instead just ignore the report which we'd rather not do. For now it seems we will need to manually filter the report.


On a related note, when we automate reports like this one and automatically mail them to appropriate parties, it looks like the reports are all or nothing in terms of mailing on a scheduled basis. It would be nice if we could send different reports on different schedules which would make this report a bit more useful or at least less annoying in its deficiencies 😉
Hemoco
Lansweeper Alumni
bdowell wrote:
It would be nice if we could send different reports on different schedules

This feature is on our customer wish list, but we do not currently have a release date for it unfortunately.
Hemoco
Lansweeper Alumni
Lansweeper does not store an AD user's status (enabled/disabled) in the database, so you cannot include this information in your reports.