Page 2 of 2 <12
Topic Options
#28573 - 2002-09-18 01:36 AM Re: Old computer/user accounts in an NT4 domain.
Chris S. Offline
MM club member
*****

Registered: 2002-03-18
Posts: 2368
Loc: Earth
Howard, those CD towers are a special case and frankly, I can't remember why they show up like that. I got an answer once as to why, but I'm too tired and have too much of a headache right now to remember it. If I think of it tomorrow I'll ask again and tell you why. It isn't a fault of your (or my, for that matter) code.
Top
#28574 - 2002-09-18 01:50 AM Re: Old computer/user accounts in an NT4 domain.
NTDOC Administrator Offline
Administrator
*****

Registered: 2000-07-28
Posts: 11623
Loc: CA
Howard and Chris,

I'm sorry, but I was not thinking correctly about this for our case. The Password Age alone would not be a good check. We have too many accounts that have NEVER EXPIRE set on them. I would need to use the LAST LOGON which is stored on PDC and each BDC. To make a determination of what to do with the user account. I could use the Password Age for the machine account though.

[ 18. September 2002, 01:51: Message edited by: NTDOC ]

Top
#28575 - 2002-09-18 01:56 AM Re: Old computer/user accounts in an NT4 domain.
Howard Bullock Offline
KiX Supporter
*****

Registered: 2000-09-15
Posts: 5809
Loc: Harrisburg, PA USA
NTDOC you have mail.
_________________________
Home page: http://www.kixhelp.com/hb/

Top
#28576 - 2002-09-18 02:10 AM Re: Old computer/user accounts in an NT4 domain.
Chris S. Offline
MM club member
*****

Registered: 2002-03-18
Posts: 2368
Loc: Earth
Not sure what Howard's reply is, but my script does check for accounts set to 'never expire.'

Anyway, here it is... (oh, and the AllFlags() is by NewMexicoMark)

code:
break on cls

;ADS UserFlags Typedef
$ADS_UF_SCRIPT = &1
$ADS_UF_ACCOUNTDISABLE = &2
$ADS_UF_HOMEDIR_REQUIRED = &3
$ADS_UF_LOCKOUT = &10
$ADS_UF_PASSWD_NOTREQD = &20
$ADS_UF_PASSWD_CANT_CHANGE = &40
$ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED = &80
$ADS_UF_TEMP_DUPLICATE_ACCOUNT = &100
$ADS_UF_NORMAL_ACCOUNT = &200
$ADS_UF_INTERDOMAIN_TRUST_ACCOUNT = &800
$ADS_UF_WORKSTATION_TRUST_ACCOUNT = &1000
$ADS_UF_SERVER_TRUST_ACCOUNT = &2000
$ADS_UF_DONTEXPIREPASSWD = &10000
$ADS_UF_MNS_LOGON_ACCOUNT = &20000
$ADS_UF_SMARTCARD_REQUIRED = &40000
$ADS_UF_TRUSTED_FOR_DELEGATION = &80000
$ADS_UF_NOT_DELEGATED = &100000

$nul=redirectoutput(@scriptdir+"expiredaccounts.txt",1)
$user=getobject("WinNT://@domain")
$user.filter="User",""
for each $u in $user
$objUser=getobject("WinNT://@domain/"+$u.name)
$MaxAge=$objUser.MaxPasswordAge/86400
$PsdAge=$objUser.PasswordAge/86400
if $MaxAge <= $PsdAge
$UserFlags = $objUser.Get("UserFlags")
if AllFlags($UserFlags, $ADS_UF_DONTEXPIREPASSWD)=0 or AllFlags($UserFlags, $ADS_UF_ACCOUNTDISABLE)=0
? $objUser.name " " $maxage - $psdage " " $objUser.LastLogin
endif
endif
next

FUNCTION AllFlags($iNum, $iTst)
$iNum=Val($iNum) $iTst=Val($iTst)
IF $iTst=0 $AllFlags=0 EXIT ENDIF
$AllFlags=(($iNum & $iTst)=$iTst)
ENDFUNCTION

I ran this code versus a report from Hyena and it matched it user by user.

Top
#28577 - 2002-09-18 02:32 AM Re: Old computer/user accounts in an NT4 domain.
Howard Bullock Offline
KiX Supporter
*****

Registered: 2000-09-15
Posts: 5809
Loc: Harrisburg, PA USA
Chris, I don't doubt the script works. I was just having an off-line discussion about my tools and his current project.

He may be able to just use your code.
_________________________
Home page: http://www.kixhelp.com/hb/

Top
#28578 - 2002-09-18 02:40 AM Re: Old computer/user accounts in an NT4 domain.
Chris S. Offline
MM club member
*****

Registered: 2002-03-18
Posts: 2368
Loc: Earth
Oh, I'm not upset or anything if that is what you got out of my last post. [Smile] I was just posting the code that I was talking about earlier. And, I wanted to point out to Doc that it did check the 'never expire' flag.
Top
#28579 - 2002-09-18 03:23 AM Re: Old computer/user accounts in an NT4 domain.
NTDOC Administrator Offline
Administrator
*****

Registered: 2000-07-28
Posts: 11623
Loc: CA
Chris,

Your code runs okay. I would need to build in some other checks and would eventually actually have it read a file and do a while loop on the file after I verified the accounts I was sure I wanted deleted.

We have some systems also that may escape this simple checking.

Bottom line I would not trust any automated script to do deletes before I physically verified the list. Then I'd have it read back into the script and do the deletes.

Top
#28580 - 2002-09-18 04:22 AM Re: Old computer/user accounts in an NT4 domain.
Chris S. Offline
MM club member
*****

Registered: 2002-03-18
Posts: 2368
Loc: Earth
That's exactly what I do. [Smile] I usually pull the info out in a tab-delimited text file, copy it into Excel real fast and go over the results. When I'm ready to script the 'deletions' I pipe in the user or computer names into another 'deletion' script.
Top
#28581 - 2002-09-18 04:43 AM Re: Old computer/user accounts in an NT4 domain.
Howard Bullock Offline
KiX Supporter
*****

Registered: 2000-09-15
Posts: 5809
Loc: Harrisburg, PA USA
I found that there is seldom a mistake (never to date) using the password age in our environment.

If there was one I'd use Netdom to have the computer rejoin the domain.

code:
NETDOM JOIN machine /Domain:domain [/OU:ou path] [/UserD:user]
[/PasswordD:[password | *]]
[UserO:user] [/PasswordO:[password | *]]
[/REBoot[:Time in seconds]]

But in our domain architecture "real" servers (not to be confused with someone running NT server at thier desk) are managed in their own domain where the data center admins would manage the domain closely. (i would hope)

[ 18. September 2002, 04:50: Message edited by: Howard Bullock ]
_________________________
Home page: http://www.kixhelp.com/hb/

Top
#28582 - 2002-09-18 09:22 AM Re: Old computer/user accounts in an NT4 domain.
NTDOC Administrator Offline
Administrator
*****

Registered: 2000-07-28
Posts: 11623
Loc: CA
Yeah, you can rejoin them, but in the meantime I would catch some crap from other Admin wannabes for removing valid machines in the first place.

Unfortunately we have run a Wild Wild West type of Admin on our systems for a long time. The AD is now much tighter, but our NT Domain is not that way.

Top
#28583 - 2002-09-18 06:13 PM Re: Old computer/user accounts in an NT4 domain.
Chris S. Offline
MM club member
*****

Registered: 2002-03-18
Posts: 2368
Loc: Earth
Howard, asked again about those CD-Rom towers. They are linux boxes with a (reverse-engineered?) Samba client on them. They are in the SAM to provide access to our clients. Apparantly, the Samba client neglects to update the computer account password. That's the answer I got. Hope that makes sense.

[ 18. September 2002, 21:41: Message edited by: Chris S. ]

Top
#28584 - 2002-09-18 06:17 PM Re: Old computer/user accounts in an NT4 domain.
Howard Bullock Offline
KiX Supporter
*****

Registered: 2000-09-15
Posts: 5809
Loc: Harrisburg, PA USA
Yes, that makes sense. I will have to put a disclaimer on the web site raising that possibility. Thanks for following up.

[ 18. September 2002, 18:17: Message edited by: Howard Bullock ]
_________________________
Home page: http://www.kixhelp.com/hb/

Top
#28585 - 2002-12-04 08:59 PM Re: Old computer/user accounts in an NT4 domain.
MCA Offline
KiX Supporter
*****

Registered: 2000-04-28
Posts: 5152
Loc: Netherlands, EU
Dear,

To get information of last logging on we our using something simlar our script logon.kix.
It creates dynamic lists based on @userid, @wksta and @ipaddressX.
greetings.

btw: symbol  - on our homepage has been linked to related http://kixtart.org topic.
_________________________
email scripting@wanadoo.nl homepage scripting@wanadoo.nl | Links | Summary of Site Site KiXforms FAQ kixtart.org library collection mirror MCA | FAQ & UDF help file UDF kixtart.org library collection mirror MCA | mirror USA | mirror europe UDF scriptlogic library collection UDFs | mirror MCA

Top
Page 2 of 2 <12


Moderator:  Jochen, Allen, Radimus, Glenn Barnas, ShaneEP, Ruud van Velsen, Arend_, Mart 
Hop to:
Shout Box

Who's Online
0 registered and 259 anonymous users online.
Newest Members
gespanntleuchten, DaveatAdvanced, Paulo_Alves, UsTaaa, xxJJxx
17864 Registered Users

Generated in 0.066 seconds in which 0.026 seconds were spent on a total of 13 queries. Zlib compression enabled.

Search the board with:
superb Board Search
or try with google:
Google
Web kixtart.org