I want to search Active Directory for inactive users that have no login for x days/months. I've got such a ldapsearch query:
ldapsearch -h domain.test -p 389 -D "cn=login,ou=test,dc=domain,dc=test" -w "passwd" -s sub -b "ou=Test,dc=domain,dc=test" "(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))"
It gives me the list of all inactive users in domain.test with all attributes.
I would like to add a filter for searching users that have no login for x days/months, and it would be great if the result was the list of sAMAccountNames (inactive user and lastLogonTimestamp >e.g. 3months). I'm aware that LastLogonTimestamp is not the real time of last user logon, but in this case it's not so important.
EDIT: now I only need to know if there is a way to show attribute like "lastLogonTimestamp" in the output of above ldapsearch query?
ANSWER: Attribute lastLogonTimestamp was not set for each object in the output of above ldapsearch query. I haven't noticed that. So grep displayed it:
ldapsearch -h domain.test -p 389 -D "cn=login,ou=test,dc=domain,dc=test" -w "passwd" -s sub -b "ou=Test,dc=domain,dc=test" "(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))" | grep -i lastlogontimestamp
EDIT: I though that it will be ok to compare lastlogontimestamps - it isn't because lastlogontimestamp values are not comparable. The only way is to convert to date format first, and then compare to get users that lastlogon was eg. before 01/06/2017. And here's the question: how to convert windows lastlogontimestamp to date in bash?
Please let me know if it's the correct way to do it.
Any advice very appreciated.
