To disable unused accounts in time, you need to know when they were last used. In most cases, if no one has logged in under an account for a couple of months, the person has likely left the company or moved roles. Since all logon attempt data is stored in the user’s Active Directory attributes, identifying these dormant accounts is straightforward.
First, enable Advanced Features in the View menu to show additional properties. The data you need is stored in the lastLogon and lastLogonTimestamp attributes, and failed logon attempts are indicated by the badPasswordTime and badPwdCount attributes.
If you’ve only got a single domain controller, these values will do the job; otherwise, you’ll run into problems. The lastLogon, badPasswordTime, and badPwdCount attributes don’t replicate between controllers, and figuring out which one authenticated the user is a real headache.
Starting with Windows Server 2008, Active Directory (AD) introduced additional attributes specifically for this purpose, which solve the problem. They are:
- msDS-FailedInteractiveLogonCount — total number of failed interactive logon attempts
- msDS-FailedInteractiveLogonCountAtLastSuccessfulLogon — number of failed interactive logon attempts since the last successful logon
- msDS-LastFailedInteractiveLogonTime — time of the last failed interactive logon attempt
- msDS-LastSuccessfulInteractiveLogonTime — time of the last successful interactive logon attempt
These attributes replicate successfully and can be trusted for logon tracking—you just need to enable them. To do this, create a new Group Policy Object and link it to the Domain Controllers OU. Then, under Computer , enable the policy “Provide information about previous logons to client computers.” After that, the controllers will start collecting the required data.
To fully automate the cleanup, you can write a small script that checks those fields and, for example, sends you a notification when an account has expired.