Find stale user / computer accounts
ADMan can find stale user and computer accounts in AD, send an email to an admin, and optionally disable the accounts. The definition of “stale” is configurable.
Note
The lastLogonTimestamp LDAP attribute used to determine the staleness of an account is only updated every msDS-LogonTimeSyncInterval days, which defaults to 14. Therefore, the granularity cannot typically be set lower than this.
Actions
For each configured user and computer LDAP container (or all, if none configured), ADMan will:
Find all “stale” accounts, as configured either domain-wide or for that container
Disable any stale accounts, if configured either domain-wide or for that container
Then ADMan will:
Send an email to the admin (if
email_to
is set) with the findings and results, in tabular format.
Configuration
The following configuration options (keys) exist under stale_accounts
:
Config Key |
Type |
Default |
Description |
---|---|---|---|
|
string |
(none) |
Email address to which reports are sent |
|
(none) |
Minimum age of a “stale” account (domain default) |
|
|
boolean |
False |
Whether or not to disable stale accounts (domain default) |
|
boolean |
False |
Whether or not to include disabled accounts in report (domain default) |
|
|
User containers to be searched, along with settings which override domain defaults |
|
|
|
Computer containers to be searched, along with settings which override domain defaults |
Note
By default, the entire domain is searched for stale user and computer accounts. That can be overridden for user and computer accounts separately. LDAP containers to be searched can be specified here, along with settings which override those above.
stale_accts – Like containers but with additional keys, which override the domain defaults above:
Config Key |
Type |
Default |
Description |
---|---|---|---|
|
(domain default) |
Minimum age of a “stale” account (override) |
|
|
boolean |
(domain default) |
Whether or not to disable stale accounts (override) |
|
boolean |
(domain default) |
Whether or not to include disabled accounts in report (domain default) |
Example configuration
stale_accounts:
# Admin email to which reports are sent
email_to: "System Administrator <sysadmin@example.com>"
# Domain-wide settings
# How old an account must be before it is "stale"
older_than: "120 days"
# Whether or not to disable stale accounts
#disable: True
# Whether or not to report already-disabled accounts (default: False)
include_disabled: True
# By default, the entire domain is searched for stale user and computer
# accounts. That can be overridden for user and computer accounts separately.
# LDAP containers to be searched can be specified here, along with settings
# which override those above.
users:
OU=Special Users,OU=People:
# LDAP search scope; can be 'one' or 'subtree' (default).
scope: one
older_than: "30 days"
disable: True
include_disabled: False
CN=Users:
#scope: subtree
computers:
CN=Computers:
disable: True
OU=Domain Controllers:
Commands
Relevant CLI commands: