Skip To Content

Identify inactive domain accounts

For organizations with a large number of members that are maintained through Active Directory or Lightweight Directory Access Protocol (LDAP) identity stores, it can be difficult to identify which accounts are no longer active or no longer have matching domain users. ArcGIS Enterprise includes a Python script tool,, that scans all Active Directory and LDAP members and identifies the ones that are obsolete or no longer have domain accounts. If any users are found, the script generates a HTML report listing the users along with the number of items and groups owned by the user and the last login date.

This script is only intended to evaluate members from Active Directory or LDAP identity stores. This will not work with SAML or OpenID Connect members.

If an administrator wants to remove these members, any items or groups must be transferred first. To assist with this process, the script generates up to two .txt files. If needed, an AD_LDAP_Transfer.txt file is created that can be used with the TransferOwnership command line utility to transfer all items and groups to the administrator account used to run the script. An AD_LDAP_Delete.txt file is also created that can be used with the DeleteUsers command line utility to delete these users.

The script is in \tools\accountmanagement directory. Run the script from the command line using AD_LDAP_Users.bat, which is in the same directory. You have the option to specify one or more parameters when running the script. parameters

The following table describes parameters:



The fully qualified domain name of the machine where Portal for ArcGIS is installed (in other words, The default is the host name of the machine where the script is run.


The username of an administrator account.


The password of an administrator account.


The directory where the user scan report and corresponding .txt files will be saved. The default directory is the same folder where you run the script.


A token can be generated and used in place of the username and password. When generating a token, userScan should be input in the Webapp URL field. When a token is provided, it overrides any username or password that is provided.


Disable SSL certificate verification. If Python does not trust the issuer of the certificate used on port 7443, the script will fail to complete. If needed, this parameter can be specified to ignore all certificates.

-h or -?

Outputs a listing of the parameters that can be specified when running the script.

Example: python -n -u admin -p my.password -o C:\Temp

If the script is run without specifying parameters, you will be prompted to enter them manually or select the default value. If you want to use a token, it must be provided as a parameter when running the script.

If any members are identified, the script generates a report in HTML format that lists these members along with the number of items and groups owned by them and their last login date. A .txt file is also generated listing these usernames and a second .txt file is generated for any users who own items or groups. The .txt files are intended to be used with the other command line utilities to transfer items and delete the users.

By default, the report is saved in the same folder where you run the script and is named AD_LDAP_Users_Scan_Report_[hostname]_[date].html.

The .txt files are saved in the same folder as the HTML scan report and are named AD_LDAP_Transfer.txt and AD_LDAP_Delete.txt.