#140306 - 2005-05-25 09:34 PM
Re: Active Directory Query Question
|
Howard Bullock
KiX Supporter
Registered: 2000-09-15
Posts: 5809
Loc: Harrisburg, PA USA
|
Try looking at my MachAcctPWage.exe from http://home.comcast.net/~habullock/Perlutilities.htm
You can also code this yourself in KiXtart if you desire. Let us know what you want to do.
|
|
Top
|
|
|
|
#140307 - 2005-05-25 11:26 PM
Re: Active Directory Query Question
|
thepip3r
Hey THIS is FUN
Registered: 2005-03-02
Posts: 350
|
in the perl script aren't you just converting the time to seconds? doesn't the value have to be in nanoseconds?
Code:
my $password_age = ${$user}{'password_age'}/60/60/24;
$password_age =~ s/\..*$//;
|
|
Top
|
|
|
|
|
#140308 - 2005-05-25 11:31 PM
Re: Active Directory Query Question
|
thepip3r
Hey THIS is FUN
Registered: 2005-03-02
Posts: 350
|
also, can you tell me why this:
Code:
$nanoDays = 1000000000 * 60
outputs: -129542144 ????
|
|
Top
|
|
|
|
|
#140309 - 2005-05-25 11:45 PM
Re: Active Directory Query Question
|
Chris S.
MM club member
Registered: 2002-03-18
Posts: 2368
Loc: Earth
|
I converted Howard's script a long time ago. It is in the UDF library as CompAcctPswdAge().
|
|
Top
|
|
|
|
|
#140310 - 2005-05-25 11:50 PM
Re: Active Directory Query Question
|
Chris S.
MM club member
Registered: 2002-03-18
Posts: 2368
Loc: Earth
|
In fact, I have a GUI version of it here.
|
|
Top
|
|
|
|
|
#140313 - 2005-05-26 05:19 PM
Re: Active Directory Query Question
|
Chris S.
MM club member
Registered: 2002-03-18
Posts: 2368
Loc: Earth
|
Here is an example of a query using fnLDAPQuery(). This also requires Bryce's ADD() and FlipcTime() UDF's.
Code:
Break On
Call "fnADD.kix"
Call "fnFlipcTime.kix"
Call "fnLDAPQuery.kix"
$Date = "2005/1/22"
$Time = "00:00:00"
$sDate=""+FlipcTime($Date,$Time,-4)
$sDate=Add('11644473600',$sDate)+"0000000"
$sWhat = "Name","ADsPath"
;$sFrom = "LDAP://"+GetObject("LDAP://rootDSE").Get("defaultNamingContext")
$sFrom = "LDAP://OU=Remote,OU=Accounts,DC=your,DC=domain,DC=com"
; Search for users who are not disabled and w/o the "NoExpirey" flag set and have not changed their pwd by a certain date.
$sFilter = "(&(objectCategory=person)(objectClass=user)(pwdLastSet<="+$sDate+")"+
"(!userAccountControl:1.2.840.113556.1.4.803:=2)"+
"(!userAccountControl:1.2.840.113556.1.4.803:=65536))"
$sScope = "subtree"
$aResults = fnLDAPQuery($sWhat,$sFrom,$sFilter,"Name",$sScope)
@ERROR " : " @SERROR ?
For Each $Result in $aResults
If VarType($Result)>8192
For Each $R in $Result
$R ?
Next
Else
$Result ?
EndIf
Next
? UBound($aResults) ?
Get $
|
|
Top
|
|
|
|
|
#140314 - 2005-05-26 05:21 PM
Re: Active Directory Query Question
|
thepip3r
Hey THIS is FUN
Registered: 2005-03-02
Posts: 350
|
Ok, I'm using fnADQuery() and have gotten to function to work using this:
Code:
$aWhat = "Name", "ADSPath"
$sFrom = "LDAP://OU=IT,DC=microsoft,DC=com"
$sWhere = "objectClass = 'Computer' AND Name = 'C*'"
$sOrderBy = "Order By Name"
$aResults = fnADQuery($aWhat,$sFrom,$sWhere,$sOrderBy)
@ERROR " | " @SERROR ?
$numResults = ubound($aResults)
? $numResults
For Each $Result in $aResults
If VarType($Result)>8192
For Each $R in $Result
$R ?
Next
Else
$Result ?
Endif
Next
Sleep 5
Now the UDF states that to query for an extra attribute, all you have to do is add it to the $WHAT variable. I tried adding "lastlogontimestamp" but it returned an error. The exmaple value "Name" pulls up the computer name and the other example value "ADSPath" brings up the distinguished name. Is there a listing somewhere I can look at to know what word will give me lastlogontimestamp???
Edited by thepip3r (2005-05-26 05:24 PM)
|
|
Top
|
|
|
|
|
#140315 - 2005-05-26 05:45 PM
Re: Active Directory Query Question
|
Kdyer
KiX Supporter
Registered: 2001-01-03
Posts: 6241
Loc: Tigard, OR
|
|
|
Top
|
|
|
|
|
#140317 - 2005-05-26 06:38 PM
Re: Active Directory Query Question
|
Chris S.
MM club member
Registered: 2002-03-18
Posts: 2368
Loc: Earth
|
|
|
Top
|
|
|
|
|
#140321 - 2005-05-26 07:01 PM
Re: Active Directory Query Question
|
Chris S.
MM club member
Registered: 2002-03-18
Posts: 2368
Loc: Earth
|
But...here is the kicker. Computers don't logon to the network, users do. You have to use the pwdLastSet property. Here is a better example for computer accounts...
Code:
Break On
Call "fnADD.kix"
Call "fnFlipcTime.kix"
Call "fnLDAPQuery.kix"
$Date = "2005/4/11"
$Time = "00:00:00"
$sDate=""+FlipcTime($Date,$Time,-4)
$sDate=Add('11644473600',$sDate)+"0000000"
$sWhat = "Name","ADsPath"
$sFrom = "LDAP://"+GetObject("LDAP://rootDSE").Get("defaultNamingContext")
$sFilter = "(&(objectClass=computer)(pwdLastSet<="+$sDate+"))"
$sScope = "subtree"
$aResults = fnLDAPQuery($sWhat,$sFrom,$sFilter,"Name",$sScope)
@ERROR " : " @SERROR ?
For Each $Result in $aResults
If VarType($Result)>8192
For Each $R in $Result
$R ?
Next
Else
$Result ?
EndIf
Next
? UBound($aResults) ?
Get $
Edited by Chris S. (2005-05-26 07:09 PM)
|
|
Top
|
|
|
|
|
#140322 - 2005-05-26 07:50 PM
Re: Active Directory Query Question
|
Howard Bullock
KiX Supporter
Registered: 2000-09-15
Posts: 5809
Loc: Harrisburg, PA USA
|
Be very cautious in using lastlogon. This value is unique on each domain controller. It is not replicated. You will have have to check every DC then find the highest value to get the true lastlogon value.
See this link near the bottom for confirmation of my statement.
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adschema/adschema/a_lastlogon.asp
|
|
Top
|
|
|
|
|
#140323 - 2005-05-26 08:29 PM
Re: Active Directory Query Question
|
thepip3r
Hey THIS is FUN
Registered: 2005-03-02
Posts: 350
|
Yes but that's why I wanted to use lastlogontimestamp because it is replicated across the DCs so it doesn't matter which one you query...
|
|
Top
|
|
|
|
Moderator: Jochen, Allen, Radimus, Glenn Barnas, ShaneEP, Ruud van Velsen, Arend_, Mart
|
0 registered
and 657 anonymous users online.
|
|
|
