Version

Argent for Active Directory 1310-A and above

Date

Friday, 20 Sep 2013

Summary

Argent for Active Directory has been enhanced with ‘Inactive Users Rules‘ and ‘Inactive Users Report‘ to find the inactive users for the past specific number of days

Technical Background

Argent for Active Directory 1310-A introduces a new Rule to find inactive users for the past specific number of days. There is also a new report (Inactive Users Report) added. Inactive users are those users in Active Directory who have not logged in for the last ‘n‘ number of days

Inactive Users Rule

Rule ‘PS_INACTIVE_USERS_FOR_PAST_30_DAYS‘ finds out the inactive users for the past 30 days

Click For Full Size

Three ‘Ready to Use‘ Rules have been added to find inactive users who have not logged in for past 30 days, for past 60 days and for past 90 days

If the number of days needs to be changed, edit the PowerShell script variable ‘$g_iInactiveUsersThreshold‘ marked in red below

Click For Full Size

Inactive User Report

The Report ‘RPT_ INACTIVE_USERS_FOR_PAST_30_DAYS‘ displays the inactive users list for the past 30 days

Click For Full Size

Report Sample

Click For Full Size

Critical Note:

If there any issue occurs in getting the latest changes, read the following note

Active Directory stores the last logon information of users. The Argent script uses this information to execute Argent Rule. But as per MSDN, this information *MAY* not be updated regularly. There can be a delay of nine to fourteen days. However system administrators can run scripts to make it up-to-date

So, if issues are reported that the rule is not functioning as intended, the first thing to check is, if the Active Directory has updated the last logon information of the corresponding user

Reference:

http://blogs.technet.com/b/askds/archive/2009/04/15/the-lastlogontimestamp-attribute-what-it-was-designed-for-and-how-it-works.aspx

Resolution

N/A