Searching for Problem User and Computer Accounts

DSQUERY USER and DSQUERY COMPUTER include several syntax extensions designed to help you search for problem accounts. You can use the –Disabled parameter to find accounts that have been disabled. To search the entire domain for disabled user accounts, type dsquery user –disabled.

The resulting output shows any computer accounts that have been disabled according to their DN, such as

"CN=Guest,CN=Users,DC=cpandl,DC=com"
"CN=SUPPORT_456945a0,CN=Users,DC=cpandl,DC=com"
"CN=krbtgt,CN=Users,DC=cpandl,DC=com"

Another very useful command option is –Stalepwd. This option lets you search for accounts that have not changed their password for at least the number of days specified. So for instance, you could search for all user accounts whose passwords haven’t been changed for at least 15 days by typing dsquery user –stalepwd 15.

The resulting output is a list of users by DNs:

"CN=Administrator,CN=Users,DC=cpandl,DC=com"
"CN=Guest,CN=Users,DC=cpandl,DC=com"
"CN=SUPPORT_456945a0,CN=Users,DC=cpandl,DC=com"
"CN=krbtgt,CN=Users,DC=cpandl,DC=com"
"CN=William R. Stanek,CN=Users,DC=cpandl,DC=com"
"CN=Howard Smith,CN=Users,DC=cpandl,DC=com"

Finally, you might also want to search for computer or user accounts that have been inactive for at least the number of weeks specified. An inactive account is one that hasn’t logged on to the domain within the specified time period. For example, if you wanted to find out which user accounts haven’t logged on to the domain for at least two weeks, you could type dsquery user –inactive 2.

Generally, users don’t log on to the domain because they are out of the office, which means they could be on vacation, sick, or working off-site. With computer accounts, being inactive means the computers have been shut down or disconnected from the network. For example, if a user goes on vacation and takes her laptop with her but doesn’t connect to the office remotely while away, the related computer account would be inactive for that period of time.