Cleaning up inactive computer accounts

Hi, I'm wondering if anyone can help me with this:

I have a copy of the built-in automated Workflow that cleans up inactive computer accounts.  We basically want to disable and move inactive workstation accounts that haven't logged in for 60 days, but would like to build in an exception for specific computers - we do get the odd one or two that are used off-site by remote workers without connecting to the network for extended periods.

I don't really want to put these systems in a separate OU - I'm a firm believer in keeping my OU structure as simple as possible - so I thought I could do this by adding these computers to a security group and writing a filter that says if the "memberOf" attribute does not contain the Distinguished Name (DN) of the security group, then disable the account.

I've currently got the actions that disable and move the inactive accounts disabled in the workflow, so I can just generate a report of computers that fall into these criteria.  Unfortunately the report returns no systems.  If I run the workflow without the filter then I get several inactive accounts listed.

Any ideas?

  • So anyway, I think I have resolved this myself.  Having done some research, it appears that you cannot use wildcard parameters when performing an LDAP query against the "memberOf" or "member" attribute.

    So I updated the filter to say the "memberOf" attribute does not equal (as opposed to does not contain) the DN of the security group.  Running the workflow produced my list of inactive computers.  So I added a couple of the computers listed in the original report to my security group and ran the workflow again and these computers were excluded from the second report.