Views:

Applies To:

GroupID 10 - Synchronize

Business Scenario:

We use Active Directory (AD) to manage users in our organization. For security reasons, we want to disable the user accounts in AD that have not logged in for the past 60 days.

Solution:

We need to check the value of the lastLogontimestamp attribute for users in AD to filter those who have not logged in for the past 60 days.

Instead of using a complex VB script to achieve this, we can use two GroupID Synchronize jobs:

  1. A job to disable all accounts with invalid lastlogontimestamp (users who have not logged in ever)
    This job will fetch the users who have no value for the lastlogontimestamp attribute and disable their accounts.

  2. A job to disable accounts with a valid timestamp that is equal to or older than 60 days
    This job will fetch users who have a value for the lastlogontimestamp attribute. It will use a VB script to compare this value with 60 days and disable the accounts where the value is greater than 60 days.

Job to disable all accounts with invalid lastlogontimestamp (users who have not logged in ever)

  1. In GroupID Management Console, expand the Synchronize node, right-click All Jobs, and then select New Job.

  2. On the Job Template page, select the Blank Job option and click Next.

  3. Since this is an update job from AD to AD, select Microsoft Active Directory (LDAP) as the source and destination provider.

  4. On the Sync Object Options page, select the required object type and then the Skip option button for it, as this is an update job.

  5. On the Select Fields page, select the fields you want to update. For example, select EmployeeID as the key attribute and Disable Account as the target attribute.

  6. The next and the most important page is the Field Map(s) page. You have to map the destination EmployeeID field to the corresponding field in the source file. Moreover, for Disable Account you have to use Static transform with value set to TRUE.


  7. Click Next; then on the Completion page, click Advanced and then Next.

  8. On the Source Query page, add an LDAP criteria to filter out objects that are not disabled and their lastlogontimestamp is empty.

    (&(&(|(objectCategory=person)(objectCategory=cn=person*))(objectClass=user))(&(!lastLogonTimestamp=*)(!userAccountControl=514)))

  9. Click Next and complete the wizard to create the job.

  10. Run the job to disable all accounts in AD that have never logged in.

Job to Disable accounts with a valid timestamp that is equal to or older than 60 days

  1. In GroupID Management Console, expand the Synchronize node, right-click All Jobs, and then select New Job.

  2. On the Job Template page, select the Blank Job option and click Next.

  3. Since this is an update job from AD to AD, select Microsoft Active Directory (LDAP) as the source and destination provider.

  4. On the Sync Object Options page, select the required object type and then the Skip option button for it, as this is an update job.

  5. On the Select Fields page, select the fields you want to update. For example, select EmployeeID as the key attribute and Disable Account as the target attribute.

  6. The next and the most important page is the Field Map(s) page. You have to map the destination EmployeeID field to the corresponding field in the source file. Moreover, for Disable Account you have to use Script transform and click Edit Script.

  7. In the Script Editor, use the script given below:

    Dim sResult As String
    Dim lastlogondateField As String
    Dim lastlogondate As System.DateTime

    lastlogondateField = DTM.Source("lastLogonTimestamp")
    lastlogondate = DateTime.FromFileTime(lastlogondateField)
    lastlogondate = lastlogondate.AddDays(59)

     

    If System.DateTime.Compare(lastlogondate, System.DateTime.Now) < 0 Then
    sResult = "True"
    Else
    sResult = "False"
    End If

  8. Now test the script by clicking the check mark next to Don't forget to test your script.

  9. After successful testing, click OK to save and close the editor.

  10. Click Next; then on the Completion page, click Advanced and then Next.

  11. On the Source Query page, add an LDAP criteria to filter out objects that have a valid value stored in the lastlogontimestamp attribute and have enabled user accounts.

    (&(&(|(objectCategory=person)(objectCategory=cn=person*))(objectClass=user))(&(lastLogonTimestamp=*)(!userAccountControl=514)))

  12. Click Next and complete the wizard to create the job.

  13. Run the job to disable user accounts in AD that have not logged in for the past 60 days.

Reference:

GroupID Synchronize User Guide

Keywords: Synchronize, Disabled, lastlogontimestamp, not logged in for past 60 days, user accounts