What attribute is used for inactive users? lastlogon or lastlogontimestamp? If lastlogon, is Active Roles querying all domain controllers? We need to have a definitive date, not a date +- 14 days like lastlogontimestamp provides. And pulling lastlogon from a single domain controller is not necessarily accurate since that attribute is not replicated.
Hi ken hansen
If you're using a workflow, with a search activity step, where it is configured to only retrieve accounts that have not logged on for <x> days (as below)
Instead, what you could do, to save searching through all users, would be something similar to the below:
Where you use a Search Activity (using LastLogontimestamp), looking for any account that have not been logged into by the precise value
Then for each user account found, have an If/Else branch (mine is labled "LastLogon Check", where on the If branch, you configure a rule expression, that calls a script you write, the script would use the "foundobject" method as listed in the SDK to get the current user
If you want to set number of days as a parameter of the workflow, so you script can change based on your parameter value, you'd use the below
Once the script is written to search every domain controller in the domain the user is located, if the newest date is over the threshold, return a true,
The If workflow, would then be configured that is script("your script name") = True, it follows that branch, and then does whatever you want it to do next.
