Automactically deleting users from AD after a time period

[SpokaneTJ]

Good Morning,

I have a remote client running W2K3 AD. The client would like to have users that have not changed their password after 120 day from its last expiration date. Does AD have the ability to do this?

Thanks.

Troy

 

[djtech2k]

So you want them to be deleted? AD cannot do that natively. AD can disable them if you setup the account policy GPO correctly.

 

[kmcferrin]

You could write a script to delete accounts that have a password age greater than 120 days, that's probably the best way to do it.

But I have to question why someone would want those accounts deleted rather than disabled. If the accounts were still supposed to be active, then deleting them will take away group memberships that would have to be re-created (and usually aren't documented anywhere) if the account was deleted in error. Usually most companies have a termination process where they disable an account of an employee who has left, and then delete the account after a period of time (in case the employee is re-hired or the account is needed for some reason). You can put a comment in the description field that says they were terminated on such-and-such date, and than just search on that field in AD Users and Computers once a month to find accounts to be deleted.

 

[SpokaneTJ]

Thank you very much for your help. KMcferrin, I asked the same thing from my client. I don't think they were seeing the entire aspect of what they wanted. Currently I am just going to disable the account via GPO's and they will have their InfoSec personell delete the accounts after a tme period.