Click here to Skip to main content
11,790,613 members (56,766 online)
Click here to Skip to main content

VBScript to Disable Old Accounts in Active Directory

, 4 Sep 2007 CPOL 75.1K 1.2K 12
Rate this:
Please Sign up or sign in to vote.
Searches a given OU for all users that haven't logged on in a given length of time. Then gives you the option to disable them and move them to a new folder.


This script is basically used to search out and disable stale accounts. The code is fairly straightforward but uses a combination of the LDAP, WinNT and FSO to accomplish its goals. The attached document is a working script that should be run from an AD server while logged on as an administrator. All you need to do is enter your domain information in the variable declarations at the top. It will display a message asking if you want to disable the accounts and another message asking if you want to just save the output to a file.


If your business is anything like mine, HR never tells you when a person is gone so running this script monthly can at least tell you when the last time they logged in was.

The Code

The main functions in this script are based off of ADSI and using the an LDAP object to query Active Directory. Since LDAP queries will only access a single Organizational Unit (OU), you have to recursively search all sub-folders in order to find all of the users.

First off, you need to set up a number of variables based off of your AD.

bDisable = 0      
'do you want to disable and move the accounts?
strFileName = "c:\"  
'the file where the tab delimited results are saved
strUserDN = "servername/OU=All Users, dc=yourdomain, dc=com"  
'initial OU where the users are located
'you can leave out the servername/ if you only have 1 domain controller
strNewParentDN = "OU=Inactive Users, dc=yourdomain, dc=com"           
'location where disabled users are moved to
strDomain = "" 
iDayThreshold = 180
'number of days without logging in

These two simple functions can recursively find all of the users.

Function EnumOUs(sADsPath)
'recursively finds all of the OU's and users in the given AD path
Set oContainer = GetObject(sADsPath)
    oContainer.Filter = Array("OrganizationalUnit")
    For Each oOU in oContainer
End Function

Function EnumUsers(sADsPath)
'finds all of the users' last login time
Set oContainer = GetObject(sADsPath)
    oContainer.Filter = Array("User")
    For Each oADobject in oContainer
        strOut = strOut & oADobject.Name & vbCrLf
       'you can put other things here depending on what you want to do
End Function

This will basically build a string that has all of the users in it. However, instead of just building a string, we can also get the lastLogon property of each user. Once we have that, we can determine what we want to do with the users that haven't logged on in the given time frame.

Since the lastLogon property is saved as an integer in LDAP, you have to collect the data as an object and convert it to a usable date value.

'for each user object, oADobject find the last logon
    Set objLogon = oADobject.Get("lastLogon")
    intLogonTime = objLogon.HighPart * (2^32) + objLogon.LowPart 
    intLogonTime = intLogonTime / (60 * 10000000)
    intLogonTime = intLogonTime / 1440
    intLogonTime = intLogonTime + #1/1/1601#
    inactiveDays = Fix(Now() - intLogonTime)

Based off whatever logic you choose, you can then disable the accounts or move them to an "inactive users" folder or both. This function will move the user, then disable it.

Sub MoveUser(adsName, adsPath, adsSAM)
'adsName is the CN of the object - CN=Some Guy
'adsPath is the full DN path - LDAP://cn=Some Guy, 
'OU=All Users, DC=yourdomain, DC=com
'adsSAM is the unique object name (their username) - someguy
'moves the user from the given OU to a new OU
    Set objUser = GetObject("LDAP://" & strNewParentDN)
    objUser.MoveHere sPath, sName

'then disable the user
    Set objUser = GetObject("WinNT://" & strDomain & "/" & _
    objUser.AccountDisabled = True
End Sub

Then, we can also use a FSO save the list of users that were disabled to a file if you want. This function takes the output string and saves it to a file.

Sub SaveToFile(strData)
'create a FSO
    Dim objFSO
    Set objFSO = CreateObject("Scripting.FileSystemObject") 
'if the file exists already open it for writing

    If objFSO.FileExists(strFileName) Then
        Set objTextStream = objFSO.OpenTextFile(strFileName, 2)
            objTextStream.Write strData
        Set objTextStream = Nothing
'otherwise, create the file and write the data
        Set objTextStream = objFSO.CreateTextFile(strFileName, True)  
            objTextStream.Write strData
        Set objTextStream = Nothing
    End If
End Sub

Download a complete copy of the script here.

Points of Interest

I found various parts of this script on different web sites but never found anything to tie them all together. This combination of routines really gives some pretty good functionality for systems administrators to get rid of inactive users and to get a report on it too.


This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)


About the Author

Jesse Fatherree
Systems Engineer
United States United States
No Biography provided

You may also be interested in...

Comments and Discussions

QuestionExcellent Pin
Jhon Drake25-Nov-14 23:35
memberJhon Drake25-Nov-14 23:35 
QuestionError Pin
pitpit25-Apr-12 0:31
memberpitpit25-Apr-12 0:31 
QuestionCode 80072030 - There is no such object on the server Pin
Member 872823530-Mar-12 21:57
memberMember 872823530-Mar-12 21:57 
Questionthis VB code Pin
dennylutz8025-Jul-11 17:39
memberdennylutz8025-Jul-11 17:39 
Generalrepotees in an organisation Pin
nicetohaveyou4-Nov-08 4:15
membernicetohaveyou4-Nov-08 4:15 
GeneralRobert's question Pin
Genevieve Sovereign4-Sep-07 5:27
staffGenevieve Sovereign4-Sep-07 5:27 
GeneralRe: Robert's question Pin
Jesse Fatherree4-Sep-07 5:53
memberJesse Fatherree4-Sep-07 5:53 
GeneralRe: Robert's question Pin
bbstone5-Sep-07 10:32
memberbbstone5-Sep-07 10:32 
GeneralRe: Robert's question Pin
Cenarkion4-Nov-07 16:16
memberCenarkion4-Nov-07 16:16 
QuestionRe: Robert's question Pin
Coldfire27-Apr-08 23:41
memberColdfire27-Apr-08 23:41 
GeneralRe: Robert's question Pin
babaa28-Feb-08 23:11
memberbabaa28-Feb-08 23:11 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

| Advertise | Privacy | Terms of Use | Mobile
Web02 | 2.8.1509028.1 | Last Updated 4 Sep 2007
Article Copyright 2007 by Jesse Fatherree
Everything else Copyright © CodeProject, 1999-2015
Layout: fixed | fluid