| Vig |
| (Starting to like KiXtart) |
| 2002-09-07 05:21 PM |
|
Old computer/user accounts in an NT4 domain.
|
Is there any way to find out the last time a user logged into the domain or the last time a computer connected to the domain? It's time to do some house cleaning.
| Howard Bullock |
| (KiX Supporter) |
| 2002-09-07 06:25 PM |
|
|
Re: Old computer/user accounts in an NT4 domain.
|
checkout my MachAcctPWage.exe for computer accounts.
You should know if a user is active or not. You can check password age of a use account as well, but test and service accounts that may not be required to change their password will cause you some issue.
{edit}
Checkout ADSI for:
lastLogon (Non-replicated)
The lastLogon property specifies when the last logon occurred. This value is stored as a large integer that represents the number of seconds elapsed since 00:00:00, January 1, 1970. This property is maintained separately on each domain controller in the domain. A value of zero means that the last logon time is unknown. To get an accurate value for the user's last logon in the domain, each domain controller in the domain must be queried and the largest value should be used.
[ 07. September 2002, 18:46: Message edited by: Howard Bullock ]
| Vig |
| (Starting to like KiXtart) |
| 2002-09-07 07:35 PM |
|
|
|
Re: Old computer/user accounts in an NT4 domain.
|
Just what I was looking for thanks.
WoW! 711 computers with a password age over 90 days. Hmm will have to check BDC's too.
Thanks
| Howard Bullock |
| (KiX Supporter) |
| 2002-09-07 07:45 PM |
|
|
|
Re: Old computer/user accounts in an NT4 domain.
|
Glad you liked it.
![[Smile]](images/icons/smile.gif){kind=icon}
Let me know if find any of the other programs useful.The BDC's should report the same results since machine accounts are replicated. The use of the \\BDC was to increase performance for those where the PDC was across a slow WAN link.
| Vig |
| (Starting to like KiXtart) |
| 2002-09-08 06:46 AM |
|
|
|
Re: Old computer/user accounts in an NT4 domain.
|
I asked on the ARS forum and got a good vbs script example and another program that can do both computers and user accounts.
http://www.myitforum.com/articles/11/view.asp?id=436
http://optimumx.com/download/#NetPWAge
| Howard Bullock |
| (KiX Supporter) |
| 2002-09-08 02:52 PM |
|
|
|
Re: Old computer/user accounts in an NT4 domain.
|
I could also do user accounts, but as I stated earlier the password policy is less consistent with user accounts. Some accounts may never be forced to change the password and would show a very old password age.
Since I wanted to create a utility that DELETED old accounts, I thought it wiser to exclude users because improperly deleting an active user is more problematic than deleting a computer account and I didn't want to contribute to causing problems. If you would find it helpful, the program could list users password ages but I would not want to delete based on that result.
| Howard Bullock |
| (KiX Supporter) |
| 2002-09-08 03:21 PM |
|
|
|
Re: Old computer/user accounts in an NT4 domain.
|
The best solution for user accounts would be to use the non-replicated lastLogon property and query all domain controllers. This would be a network intensive operation. Would you want to try that? I could incorporate that functionality in a couple days.
| Sealeopard |
| (KiX Master) |
| 2002-09-08 04:03 PM |
|
|
Re: Old computer/user accounts in an NT4 domain.
|
You could also put non-expiring user accounts like service account sinto a special group in order to indicate their special status. You can then check group memberships with ADSI to determine whether it's a regular user account or a special one.
[ 08. September 2002, 16:03: Message edited by: sealeopard ]
| Howard Bullock |
| (KiX Supporter) |
| 2002-09-08 04:04 PM |
|
|
|
Re: Old computer/user accounts in an NT4 domain.
|
Good suggestion.
| Howard Bullock |
| (KiX Supporter) |
| 2002-09-08 11:30 PM |
|
|
|
Re: Old computer/user accounts in an NT4 domain.
|
Vig, I am currently testing a "LastLogon" program for user accounts. Since the LastLogin property has to be checked for each account on each domain controller this process is very network intensive and time consuming for large domains in a WAN environment.
I am considering a few short cuts to shorten the process.
- Check the PW age from the PDC and make a list of only those accounts that fail some PW age test.
- Process this list of accounts on all other DCs instead of processing ALL accounts.
Your thoughts?
[ 08. September 2002, 23:31: Message edited by: Howard Bullock ]
| Howard Bullock |
| (KiX Supporter) |
| 2002-09-09 04:57 AM |
|
|
|
Re: Old computer/user accounts in an NT4 domain.
|
Another issue that needs to be dealt with when looking at the LastLogin property is that an account can be used like "net use D: \\server\share password /user:domain\account" and not have been used to logon interactively via a logon dialog box since it was used for the inital process testing. When used in this fashion, the account is indeed active but the LastLogin property is not updated. So if there are no account policies forcing periodic password changes or the account never is required to change the password, the LastLogin property is of little value.
[ 09. September 2002, 04:57: Message edited by: Howard Bullock ]
| Vig |
| (Starting to like KiXtart) |
| 2002-09-09 05:02 AM |
|
|
|
Re: Old computer/user accounts in an NT4 domain.
|
That sounds like a great idea Howard, thanks for doing this.
Since were on the subject of last logon, you wouldn't happen to know of a utility (or script) that can check the last time a user accesed their exchange 5.5 mailbox would you?
Thanks.
Edit: Looks like you posted while I was writing the above post. I personally am not worried about accounts that would be affected by not actually logging on. If I run the domain, I should know of any accounts being used this way. If there are accounts out there being used this way I think I would rather delete them because I want the user to use their assigned rights not the rights of another account.
[ 09. September 2002, 05:09: Message edited by: Vig ]
| Howard Bullock |
| (KiX Supporter) |
| 2002-09-09 05:06 AM |
|
|
|
Re: Old computer/user accounts in an NT4 domain.
|
I have been playing with Exchange mail box properties and security lately but have not seen any property that records a last accessed date.
| Vig |
| (Starting to like KiXtart) |
| 2002-09-09 05:14 AM |
|
|
|
Re: Old computer/user accounts in an NT4 domain.
|
I managed to find this Q article, but have not taken the time to (attempt to) port it to kixtart (if it's possible).
http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q259570&
NTDOC
|
| (KiX Master) |
| 2002-09-09 08:53 AM |
|
|
Re: Old computer/user accounts in an NT4 domain.
|
Howard,
Your scenario about a user doing NET USE * etc.. could probably be tracked through the logs if auditing was turned on.
I'm actually interested in this thread and have some VB code that does not compile correctly, was trying to port it to KiX and see if I have any better luck.
Let me email you or check further what I have at work. I'm at home getting about ready to turn in now.
ps. If your in PA it shoud be about 03:00 in the morning there, what are you doing up? You work a swing shift/late shift?
[ 09. September 2002, 08:55: Message edited by: NTDOC ]
| Howard Bullock |
| (KiX Supporter) |
| 2002-09-10 12:25 AM |
|
|
|
Re: Old computer/user accounts in an NT4 domain.
|
NTDOC, I turned in at 11 PM eastern. My laptop and bbChecker II run almost 24x7. I would be happy to further discuss/develop this issue with you. Don't see any emails so far...
{edit}
quote:
Utility: LASTLOGON
Written by: Howard A. Bullock (habullock@comcast.net)
Copyright 2002
LogFile = .\logs\LASTLOGON.log
2002.09.08_16.43.33 \\BDC005: Enumerating (1 of 12 DCs)
2002.09.08_17.04.16 \\BDC005: (18171 Accounts) Completed.
2002.09.08_17.04.16 \\BDC001: Enumerating (2 of 12 DCs)
2002.09.09_02.28.54 \\BDC001: (18171 Accounts) Completed.
2002.09.09_02.28.54 \\BDC003: Enumerating (3 of 12 DCs)
2002.09.09_06.47.06 \\BDC003: (18171 Accounts) Completed.
2002.09.09_06.47.06 \\BDC004: Enumerating (4 of 12 DCs)
\\BDC004: 2160 accounts processed
[ 09. September 2002, 14:00: Message edited by: Howard Bullock ]
|
NTDOC
|
| (KiX Master) |
| 2002-09-18 12:19 AM |
|
|
|
Re: Old computer/user accounts in an NT4 domain.
|
VIG and Howard,
Have either of you looked at the tools here?
http://www.optimumx.com/Download/
They seem to have the tools to do the cleanup I had in mind. What do you guys think?
Howard, I sent you email to: hbullock@tycoelectronics.com
| Howard Bullock |
| (KiX Supporter) |
| 2002-09-18 12:57 AM |
|
|
|
Re: Old computer/user accounts in an NT4 domain.
|
Replied to email. I would prefer to build my own tools like those at my web site. I can customize them to my heart's content.
| Chris S. |
| (MM club member) |
| 2002-09-18 01:11 AM |
|
|
Re: Old computer/user accounts in an NT4 domain.
|
I have two ADSI scripts (written in KiX, of course) that I use to 'clean up' exipired workstations and user accounts.
CompAcctPswdAge() is my port of Howard's MachAcctPWAge Perl script. I usually run it to generate a list of machines with the password expired, and then go over it to make sure that there isn't anything in the list that shouldn't be there. For example, we have a couple of CD towers that, for some reason, show up expired on Howard's and my script.
I had another ADSI script on the board that checked user accounts maxpasswordage vs. their passwordage while also checking certain flags like 'DONTEXPIREPASSWD' and 'ACCOUNTDISABLED,' but I'll be danged if I can find it. I can repost it if you're interested.
| Howard Bullock |
| (KiX Supporter) |
| 2002-09-18 01:32 AM |
|
|
|
Re: Old computer/user accounts in an NT4 domain.
|
Chris, if you had servers show up with 90 day old passwords that were still active, I would have to look closely at the situation. That doesn't make sense. Anyway Server and workstation computer account look the same from the SAM perspective.
| Chris S. |
| (MM club member) |
| 2002-09-18 01:36 AM |
|
|
|
Re: Old computer/user accounts in an NT4 domain.
|
Howard, those CD towers are a special case and frankly, I can't remember why they show up like that. I got an answer once as to why, but I'm too tired and have too much of a headache right now to remember it. If I think of it tomorrow I'll ask again and tell you why. It isn't a fault of your (or my, for that matter) code.
|
NTDOC
|
| (KiX Master) |
| 2002-09-18 01:50 AM |
|
|
|
Re: Old computer/user accounts in an NT4 domain.
|
Howard and Chris,
I'm sorry, but I was not thinking correctly about this for our case. The Password Age alone would not be a good check. We have too many accounts that have NEVER EXPIRE set on them. I would need to use the LAST LOGON which is stored on PDC and each BDC. To make a determination of what to do with the user account. I could use the Password Age for the machine account though.
[ 18. September 2002, 01:51: Message edited by: NTDOC ]
| Howard Bullock |
| (KiX Supporter) |
| 2002-09-18 01:56 AM |
|
|
|
Re: Old computer/user accounts in an NT4 domain.
|
NTDOC you have mail.
| Chris S. |
| (MM club member) |
| 2002-09-18 02:10 AM |
|
|
|
Re: Old computer/user accounts in an NT4 domain.
|
Not sure what Howard's reply is, but my script does check for accounts set to 'never expire.'
Anyway, here it is... (oh, and the AllFlags() is by NewMexicoMark)
code:I ran this code versus a report from Hyena and it matched it user by user.break on cls
;ADS UserFlags Typedef
$ADS_UF_SCRIPT = &1
$ADS_UF_ACCOUNTDISABLE = &2
$ADS_UF_HOMEDIR_REQUIRED = &3
$ADS_UF_LOCKOUT = &10
$ADS_UF_PASSWD_NOTREQD = &20
$ADS_UF_PASSWD_CANT_CHANGE = &40
$ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED = &80
$ADS_UF_TEMP_DUPLICATE_ACCOUNT = &100
$ADS_UF_NORMAL_ACCOUNT = &200
$ADS_UF_INTERDOMAIN_TRUST_ACCOUNT = &800
$ADS_UF_WORKSTATION_TRUST_ACCOUNT = &1000
$ADS_UF_SERVER_TRUST_ACCOUNT = &2000
$ADS_UF_DONTEXPIREPASSWD = &10000
$ADS_UF_MNS_LOGON_ACCOUNT = &20000
$ADS_UF_SMARTCARD_REQUIRED = &40000
$ADS_UF_TRUSTED_FOR_DELEGATION = &80000
$ADS_UF_NOT_DELEGATED = &100000
$nul=redirectoutput(@scriptdir+"expiredaccounts.txt",1)
$user=getobject("WinNT://@domain")
$user.filter="User",""
for each $u in $user
$objUser=getobject("WinNT://@domain/"+$u.name)
$MaxAge=$objUser.MaxPasswordAge/86400
$PsdAge=$objUser.PasswordAge/86400
if $MaxAge <= $PsdAge
$UserFlags = $objUser.Get("UserFlags")
if AllFlags($UserFlags, $ADS_UF_DONTEXPIREPASSWD)=0 or AllFlags($UserFlags, $ADS_UF_ACCOUNTDISABLE)=0
? $objUser.name " " $maxage - $psdage " " $objUser.LastLogin
endif
endif
next
FUNCTION AllFlags($iNum, $iTst)
$iNum=Val($iNum) $iTst=Val($iTst)
IF $iTst=0 $AllFlags=0 EXIT ENDIF
$AllFlags=(($iNum & $iTst)=$iTst)
ENDFUNCTION
| Howard Bullock |
| (KiX Supporter) |
| 2002-09-18 02:32 AM |
|
|
|
Re: Old computer/user accounts in an NT4 domain.
|
Chris, I don't doubt the script works. I was just having an off-line discussion about my tools and his current project.
He may be able to just use your code.
| Chris S. |
| (MM club member) |
| 2002-09-18 02:40 AM |
|
|
|
Re: Old computer/user accounts in an NT4 domain.
|
Oh, I'm not upset or anything if that is what you got out of my last post.
I was just posting the code that I was talking about earlier. And, I wanted to point out to Doc that it did check the 'never expire' flag.
|
NTDOC
|
| (KiX Master) |
| 2002-09-18 03:23 AM |
|
|
|
Re: Old computer/user accounts in an NT4 domain.
|
Chris,
Your code runs okay. I would need to build in some other checks and would eventually actually have it read a file and do a while loop on the file after I verified the accounts I was sure I wanted deleted.
We have some systems also that may escape this simple checking.
Bottom line I would not trust any automated script to do deletes before I physically verified the list. Then I'd have it read back into the script and do the deletes.
| Chris S. |
| (MM club member) |
| 2002-09-18 04:22 AM |
|
|
|
Re: Old computer/user accounts in an NT4 domain.
|
That's exactly what I do.
I usually pull the info out in a tab-delimited text file, copy it into Excel real fast and go over the results. When I'm ready to script the 'deletions' I pipe in the user or computer names into another 'deletion' script.
| Howard Bullock |
| (KiX Supporter) |
| 2002-09-18 04:43 AM |
|
|
|
Re: Old computer/user accounts in an NT4 domain.
|
I found that there is seldom a mistake (never to date) using the password age in our environment.
If there was one I'd use Netdom to have the computer rejoin the domain.
code:But in our domain architecture "real" servers (not to be confused with someone running NT server at thier desk) are managed in their own domain where the data center admins would manage the domain closely. (i would hope)NETDOM JOIN machine /Domain:domain [/OU:ou path] [/UserD:user]
[/PasswordD:[password | *]]
[UserO:user] [/PasswordO:[password | *]]
[/REBoot[:Time in seconds]]
[ 18. September 2002, 04:50: Message edited by: Howard Bullock ]
|
NTDOC
|
| (KiX Master) |
| 2002-09-18 09:22 AM |
|
|
|
Re: Old computer/user accounts in an NT4 domain.
|
Yeah, you can rejoin them, but in the meantime I would catch some crap from other Admin wannabes for removing valid machines in the first place.
Unfortunately we have run a Wild Wild West type of Admin on our systems for a long time. The AD is now much tighter, but our NT Domain is not that way.
| Chris S. |
| (MM club member) |
| 2002-09-18 06:13 PM |
|
|
|
Re: Old computer/user accounts in an NT4 domain.
|
Howard, asked again about those CD-Rom towers. They are linux boxes with a (reverse-engineered?) Samba client on them. They are in the SAM to provide access to our clients. Apparantly, the Samba client neglects to update the computer account password. That's the answer I got. Hope that makes sense.
[ 18. September 2002, 21:41: Message edited by: Chris S. ]
| Howard Bullock |
| (KiX Supporter) |
| 2002-09-18 06:17 PM |
|
|
|
Re: Old computer/user accounts in an NT4 domain.
|
Yes, that makes sense. I will have to put a disclaimer on the web site raising that possibility. Thanks for following up.
[ 18. September 2002, 18:17: Message edited by: Howard Bullock ]
| MCA |
| (KiX Supporter) |
| 2002-12-04 08:59 PM |
|
Re: Old computer/user accounts in an NT4 domain.
|
Dear,
To get information of last logging on we our using something simlar our script logon.kix.
It creates dynamic lists based on @userid, @wksta and @ipaddressX.
greetings.
btw: symbol
on our homepage has been linked to related http://kixtart.org topic.