Many corporate security policies and compliance regulations require that Active Directory user accounts must be disabled after a certain period of inactivity. This is a good practice; doing so keeps Active Directory secure and clean. For example, someone can create a user account, leave it untouched for many days, and then use it to perform malicious activity against an organization. Another example is employee retirement: User accounts must be disabled when an employee quits an organization, but in practice, IT departments are usually the last to know when somebody leaves. Also, most HR databases only keep information about the "primary" user account and know nothing about additional user accounts.
Inactive Users Tracker automates the management of inactive user accounts. The program periodically checks all user accounts in specified domains and reports all accounts inactive for more than specified number of days.
To detect inactivity, the tool checks the "lastLogon" and "lastLogonTimestamp" attributes of every user account, which represent the last time a user was authenticated by a specific DC. AD doesn't replicate these attributes; as a result, the values will be different on each DC. The Inactive Users Tracker handles this correctly: It queries all DCs in the domain and uses the most recent logon time, sometimes called the "true last logon".
Thank you for the painless, super quick purchase and installation! Inactive Users Tracker has been making my housekeeping duties so much easier...what a great investment! Awesome! /Vivian S., Senior Network Security Analyst, Reading International/