Old computer/user accounts in an NT4 domain. - KiXtart.org - official site

You are not logged in. [Log In] KiXtart.org website » Forums » KiXtart » Basic Scripting » Old computer/user accounts in an NT4 domain.

Page 1 of 2

1

Topic Options

#28553 - 2002-09-07 05:21 PM Old computer/user accounts in an NT4 domain.
Vig Vig Starting to like KiXtart Registered: 2001-11-14 Posts: 166 Loc: Saudi Arabia	Is there any way to find out the last time a user logged into the domain or the last time a computer connected to the domain? It's time to do some house cleaning.
Top

#28554 - 2002-09-07 06:25 PM Re: Old computer/user accounts in an NT4 domain.
Howard Bullock Howard Bullock KiX Supporter Registered: 2000-09-15 Posts: 5809 Loc: Harrisburg, PA USA	checkout my MachAcctPWage.exe for computer accounts. You should know if a user is active or not. You can check password age of a use account as well, but test and service accounts that may not be required to change their password will cause you some issue. {edit} Checkout ADSI for: lastLogon (Non-replicated) The lastLogon property specifies when the last logon occurred. This value is stored as a large integer that represents the number of seconds elapsed since 00:00:00, January 1, 1970. This property is maintained separately on each domain controller in the domain. A value of zero means that the last logon time is unknown. To get an accurate value for the user's last logon in the domain, each domain controller in the domain must be queried and the largest value should be used. [ 07. September 2002, 18:46: Message edited by: Howard Bullock ] _________________________ Home page: http://www.kixhelp.com/hb/
Top

#28555 - 2002-09-07 07:35 PM Re: Old computer/user accounts in an NT4 domain.
Vig Vig Starting to like KiXtart Registered: 2001-11-14 Posts: 166 Loc: Saudi Arabia	Just what I was looking for thanks. WoW! 711 computers with a password age over 90 days. Hmm will have to check BDC's too. Thanks
Top

#28556 - 2002-09-07 07:45 PM Re: Old computer/user accounts in an NT4 domain.
Howard Bullock Howard Bullock KiX Supporter Registered: 2000-09-15 Posts: 5809 Loc: Harrisburg, PA USA	Glad you liked it. Let me know if find any of the other programs useful. The BDC's should report the same results since machine accounts are replicated. The use of the \\BDC was to increase performance for those where the PDC was across a slow WAN link. _________________________ Home page: http://www.kixhelp.com/hb/
Top

#28557 - 2002-09-08 06:46 AM Re: Old computer/user accounts in an NT4 domain.
Vig Vig Starting to like KiXtart Registered: 2001-11-14 Posts: 166 Loc: Saudi Arabia	I asked on the ARS forum and got a good vbs script example and another program that can do both computers and user accounts. http://www.myitforum.com/articles/11/view.asp?id=436 http://optimumx.com/download/#NetPWAge
Top

#28558 - 2002-09-08 02:52 PM Re: Old computer/user accounts in an NT4 domain.
Howard Bullock Howard Bullock KiX Supporter Registered: 2000-09-15 Posts: 5809 Loc: Harrisburg, PA USA	I could also do user accounts, but as I stated earlier the password policy is less consistent with user accounts. Some accounts may never be forced to change the password and would show a very old password age. Since I wanted to create a utility that DELETED old accounts, I thought it wiser to exclude users because improperly deleting an active user is more problematic than deleting a computer account and I didn't want to contribute to causing problems. If you would find it helpful, the program could list users password ages but I would not want to delete based on that result. _________________________ Home page: http://www.kixhelp.com/hb/
Top

#28559 - 2002-09-08 03:21 PM Re: Old computer/user accounts in an NT4 domain.
Howard Bullock Howard Bullock KiX Supporter Registered: 2000-09-15 Posts: 5809 Loc: Harrisburg, PA USA	The best solution for user accounts would be to use the non-replicated lastLogon property and query all domain controllers. This would be a network intensive operation. Would you want to try that? I could incorporate that functionality in a couple days. _________________________ Home page: http://www.kixhelp.com/hb/
Top

#28560 - 2002-09-08 04:03 PM Re: Old computer/user accounts in an NT4 domain.
Sealeopard Sealeopard KiX Master Registered: 2001-04-25 Posts: 11165 Loc: Boston, MA, USA	You could also put non-expiring user accounts like service account sinto a special group in order to indicate their special status. You can then check group memberships with ADSI to determine whether it's a regular user account or a special one. [ 08. September 2002, 16:03: Message edited by: sealeopard ] _________________________ There are two types of vessels, submarines and targets.
Top

#28561 - 2002-09-08 04:04 PM Re: Old computer/user accounts in an NT4 domain.
Howard Bullock Howard Bullock KiX Supporter Registered: 2000-09-15 Posts: 5809 Loc: Harrisburg, PA USA	Good suggestion. _________________________ Home page: http://www.kixhelp.com/hb/
Top

#28562 - 2002-09-08 11:30 PM Re: Old computer/user accounts in an NT4 domain.
Howard Bullock Howard Bullock KiX Supporter Registered: 2000-09-15 Posts: 5809 Loc: Harrisburg, PA USA	Vig, I am currently testing a "LastLogon" program for user accounts. Since the LastLogin property has to be checked for each account on each domain controller this process is very network intensive and time consuming for large domains in a WAN environment. I am considering a few short cuts to shorten the process. Check the PW age from the PDC and make a list of only those accounts that fail some PW age test. Process this list of accounts on all other DCs instead of processing ALL accounts. This way it might be possible to exclude the bulk of active accounts that are within the password age policy. Your thoughts? [ 08. September 2002, 23:31: Message edited by: Howard Bullock ] _________________________ Home page: http://www.kixhelp.com/hb/
Top

#28563 - 2002-09-09 04:57 AM Re: Old computer/user accounts in an NT4 domain.
Howard Bullock Howard Bullock KiX Supporter Registered: 2000-09-15 Posts: 5809 Loc: Harrisburg, PA USA	Another issue that needs to be dealt with when looking at the LastLogin property is that an account can be used like "net use D: \\server\share password /user:domain\account" and not have been used to logon interactively via a logon dialog box since it was used for the inital process testing. When used in this fashion, the account is indeed active but the LastLogin property is not updated. So if there are no account policies forcing periodic password changes or the account never is required to change the password, the LastLogin property is of little value. [ 09. September 2002, 04:57: Message edited by: Howard Bullock ] _________________________ Home page: http://www.kixhelp.com/hb/
Top

#28564 - 2002-09-09 05:02 AM Re: Old computer/user accounts in an NT4 domain.
Vig Vig Starting to like KiXtart Registered: 2001-11-14 Posts: 166 Loc: Saudi Arabia	That sounds like a great idea Howard, thanks for doing this. Since were on the subject of last logon, you wouldn't happen to know of a utility (or script) that can check the last time a user accesed their exchange 5.5 mailbox would you? Thanks. Edit: Looks like you posted while I was writing the above post. I personally am not worried about accounts that would be affected by not actually logging on. If I run the domain, I should know of any accounts being used this way. If there are accounts out there being used this way I think I would rather delete them because I want the user to use their assigned rights not the rights of another account. [ 09. September 2002, 05:09: Message edited by: Vig ]
Top

#28565 - 2002-09-09 05:06 AM Re: Old computer/user accounts in an NT4 domain.
Howard Bullock Howard Bullock KiX Supporter Registered: 2000-09-15 Posts: 5809 Loc: Harrisburg, PA USA	I have been playing with Exchange mail box properties and security lately but have not seen any property that records a last accessed date. _________________________ Home page: http://www.kixhelp.com/hb/
Top

#28566 - 2002-09-09 05:14 AM Re: Old computer/user accounts in an NT4 domain.
Vig Vig Starting to like KiXtart Registered: 2001-11-14 Posts: 166 Loc: Saudi Arabia	I managed to find this Q article, but have not taken the time to (attempt to) port it to kixtart (if it's possible). http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q259570&
Top

#28567 - 2002-09-09 08:53 AM Re: Old computer/user accounts in an NT4 domain.
NTDOC NTDOC Administrator Registered: 2000-07-28 Posts: 11628 Loc: CA	Howard, Your scenario about a user doing NET USE * etc.. could probably be tracked through the logs if auditing was turned on. I'm actually interested in this thread and have some VB code that does not compile correctly, was trying to port it to KiX and see if I have any better luck. Let me email you or check further what I have at work. I'm at home getting about ready to turn in now. ps. If your in PA it shoud be about 03:00 in the morning there, what are you doing up? You work a swing shift/late shift? [ 09. September 2002, 08:55: Message edited by: NTDOC ]
Top

#28568 - 2002-09-10 12:25 AM Re: Old computer/user accounts in an NT4 domain.
Howard Bullock Howard Bullock KiX Supporter Registered: 2000-09-15 Posts: 5809 Loc: Harrisburg, PA USA	NTDOC, I turned in at 11 PM eastern. My laptop and bbChecker II run almost 24x7. I would be happy to further discuss/develop this issue with you. Don't see any emails so far... {edit} quote: Utility: LASTLOGON Written by: Howard A. Bullock (habullock@comcast.net) Copyright 2002 LogFile = .\logs\LASTLOGON.log 2002.09.08_16.43.33 \\BDC005: Enumerating (1 of 12 DCs) 2002.09.08_17.04.16 \\BDC005: (18171 Accounts) Completed. 2002.09.08_17.04.16 \\BDC001: Enumerating (2 of 12 DCs) 2002.09.09_02.28.54 \\BDC001: (18171 Accounts) Completed. 2002.09.09_02.28.54 \\BDC003: Enumerating (3 of 12 DCs) 2002.09.09_06.47.06 \\BDC003: (18171 Accounts) Completed. 2002.09.09_06.47.06 \\BDC004: Enumerating (4 of 12 DCs) \\BDC004: 2160 accounts processed [ 09. September 2002, 14:00: Message edited by: Howard Bullock ] _________________________ Home page: http://www.kixhelp.com/hb/
Top

#28569 - 2002-09-18 12:19 AM Re: Old computer/user accounts in an NT4 domain.
NTDOC NTDOC Administrator Registered: 2000-07-28 Posts: 11628 Loc: CA	VIG and Howard, Have either of you looked at the tools here? http://www.optimumx.com/Download/ They seem to have the tools to do the cleanup I had in mind. What do you guys think? Howard, I sent you email to: hbullock@tycoelectronics.com
Top

#28570 - 2002-09-18 12:57 AM Re: Old computer/user accounts in an NT4 domain.
Howard Bullock Howard Bullock KiX Supporter Registered: 2000-09-15 Posts: 5809 Loc: Harrisburg, PA USA	Replied to email. I would prefer to build my own tools like those at my web site. I can customize them to my heart's content. _________________________ Home page: http://www.kixhelp.com/hb/
Top

#28571 - 2002-09-18 01:11 AM Re: Old computer/user accounts in an NT4 domain.
Chris S. Chris S. MM club member Registered: 2002-03-18 Posts: 2368 Loc: Earth	I have two ADSI scripts (written in KiX, of course) that I use to 'clean up' exipired workstations and user accounts. CompAcctPswdAge() is my port of Howard's MachAcctPWAge Perl script. I usually run it to generate a list of machines with the password expired, and then go over it to make sure that there isn't anything in the list that shouldn't be there. For example, we have a couple of CD towers that, for some reason, show up expired on Howard's and my script. I had another ADSI script on the board that checked user accounts maxpasswordage vs. their passwordage while also checking certain flags like 'DONTEXPIREPASSWD' and 'ACCOUNTDISABLED,' but I'll be danged if I can find it. I can repost it if you're interested.
Top

#28572 - 2002-09-18 01:32 AM Re: Old computer/user accounts in an NT4 domain.
Howard Bullock Howard Bullock KiX Supporter Registered: 2000-09-15 Posts: 5809 Loc: Harrisburg, PA USA	Chris, if you had servers show up with 90 day old passwords that were still active, I would have to look closely at the situation. That doesn't make sense. Anyway Server and workstation computer account look the same from the SAM perspective. _________________________ Home page: http://www.kixhelp.com/hb/
Top

Page 1 of 2

1

Previous Topic

Previous Topic View All Topics

View All Topics

Index Next Topic

Next Topic

Moderator: Jochen, Allen, Radimus, Glenn Barnas, ShaneEP, Ruud van Velsen, Arend_, Mart

Hop to:

Shout Box

Who's Online

1 registered (mole) and 1033 anonymous users online.

Newest Members

StuTheCoder, M_Moore, BeeEm, min_seow, Audio
17884 Registered Users

Generated in 0.073 seconds in which 0.026 seconds were spent on a total of 11 queries. Zlib compression enabled.

click tracking