Find stale user / computer accounts

ADMan can find stale user and computer accounts in AD, send an email to an admin, and optionally disable the accounts. The definition of “stale” is configurable.

Note

The lastLogonTimestamp LDAP attribute used to determine the staleness of an account is only updated every msDS-LogonTimeSyncInterval days, which defaults to 14. Therefore, the granularity cannot typically be set lower than this.

Actions

For each configured user and computer LDAP container (or all, if none configured), ADMan will:

Find all “stale” accounts, as configured either domain-wide or for that container
Disable any stale accounts, if configured either domain-wide or for that container

Then ADMan will:

Send an email to the admin (if email_to is set) with the findings and results, in tabular format.

Configuration

The following configuration options (keys) exist under stale_accounts:

Config Key	Type	Default	Description
`email_to`	string	(none)	Email address to which reports are sent
`older_than`	duration	(none)	Minimum age of a “stale” account (domain default)
`disable`	boolean	False	Whether or not to disable stale accounts (domain default)
`include_disabled`	boolean	False	Whether or not to include disabled accounts in report (domain default)
`users`	stale_accts	`'all'`	User containers to be searched, along with settings which override domain defaults
`computers`	stale_accts	`'all'`	Computer containers to be searched, along with settings which override domain defaults

Note

By default, the entire domain is searched for stale user and computer accounts. That can be overridden for user and computer accounts separately. LDAP containers to be searched can be specified here, along with settings which override those above.

stale_accts – Like containers but with additional keys, which override the domain defaults above:

Config Key	Type	Default	Description
`older_than`	duration	(domain default)	Minimum age of a “stale” account (override)
`disable`	boolean	(domain default)	Whether or not to disable stale accounts (override)
`include_disabled`	boolean	(domain default)	Whether or not to include disabled accounts in report (domain default)

Example configuration

stale_accounts:
  # Admin email to which reports are sent
  email_to: "System Administrator <sysadmin@example.com>"

  # Domain-wide settings
  # How old an account must be before it is "stale"
  older_than: "120 days"

  # Whether or not to disable stale accounts
  #disable: True

  # Whether or not to report already-disabled accounts (default: False)
  include_disabled: True

  # By default, the entire domain is searched for stale user and computer
  # accounts. That can be overridden for user and computer accounts separately.
  # LDAP containers to be searched can be specified here, along with settings
  # which override those above.
  users:
    OU=Special Users,OU=People:
      # LDAP search scope; can be 'one' or 'subtree' (default).
      scope: one
      older_than: "30 days"
      disable: True
      include_disabled: False

    CN=Users:
      #scope: subtree

  computers:
    CN=Computers:
      disable: True
    OU=Domain Controllers:

Commands

Relevant CLI commands:

findstale