| Author | Messages | |
4u3u
Posts:0
 | | 07/11/2007 1:00 AM |
| Yeah, my bad, sorry for that.
I had some problems with my replies to the list so I've turned on delivery
receipt on one of e-mails for troubleshooting but turning on read receipt
too was a bad idea.
--
Alexander Sukhovey
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Wolf-Pittel, Janis
Sent: Wednesday, July 11, 2007 8:04 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Find inactive COMPUTER accounts
It's very annoying to get read receipt requested on this listserv.
Please have all users turn that off.
Thanks,
Janis
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
> Alexander Sukhovey
> Sent: Tuesday, July 10, 2007 2:22 PM
> To: ActiveDir@mail.activedir.org
> Cc: 'Alexander Sukhovey'
> Subject: RE: [ActiveDir] Find inactive COMPUTER accounts
>
> What I was using is whenChanged attribute. It is changed when
> any of attribute of account is changed so there's no need to
> check for pwdLastSet and LastLogonTimeStamp separately. If
> it's old, you're can be certain that nobody/nothing has
> updated any attributes of this account for long time.
>
>
> --
> Alexander Sukhovey
>
>
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
> Sent: Tuesday, July 10, 2007 5:13 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Find inactive COMPUTER accounts
>
> Computers are subclass of user meaning they have the same
> attributes available. The pwdLastSet is available for users
> and computers only computers aren't required to change their
> passwords. They just do it optionally. It can be disabled in
> various ways. You also have lastLogonTimeStamp that is
> available in DFL2 mode as mentioned. This is the replicated
> (until LH) form of last logon. OldCmp will use either method,
> by default it will use pwdLastSet but you can use the -llts
> to use lastLogonTimeStamp.
>
> All that being said, there is NO GUARANTEED way of finding
> inactive computers because there is no single attribute that
> can prove that fact.
> That is why I have tons of safeties and you aren't allowed to
> just delete computers right away, you have to at least
> disable them first.
>
> Items I know for a fact that can cause issues here
>
> O VPN software can cause passwords to not be changed and
> occasionally I hear how the last logon attributes are also
> not updated.
>
> O Cluster accounts do not update the fields.
>
> For items like that you need to mark them in some way that oldcmp (or
> anything) can identify them and skip them. I recommend
> setting up a new attribute or putting something in the
> description or what not and then using the -af switch to add
> to the filter to avoid those objects.
>
>
> --
> O'Reilly Active Directory Third Edition -
> http://www.joeware.net/win/ad3e.htm
>
>
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Zaid
> Umer Farooqui
> Sent: Tuesday, July 10, 2007 5:43 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Find inactive COMPUTER accounts
>
> Ooo so the last password change parameter is for the computer
> accounts themselves .. sorry :p I misunderstood them for user
> account passwords ..
> got it thanks :-)
>
>
> Regards,
> Zaid Umer Farooqui
> Network Engineer
> MIS Department
> =============================
> Dawlance Center (Head Office) ,
> 7/4, Civil Lines 9,
> Dr. Ziauddin Ahmed Road,
> Karachi.
> Office: 021-5652450 (Ext 2456)
> Cell: 0321-2108096
>
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Dave Wade
> Sent: Tuesday, July 10, 2007 2:42 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Find inactive COMPUTER accounts
>
> Computers have passwords too. They manage them themselves.
> They change them from time to time. When they are not used,
> they can't change them.
>
> > -----Original Message-----
> > From: ActiveDir-owner@mail.activedir.org
> > [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Zaid Umer
> > Farooqui
> > Sent: 10 July 2007 10:25
> > To: ActiveDir@mail.activedir.org
> > Subject: RE: [ActiveDir] Find inactive COMPUTER accounts
> >
> > We let users manage their own passwords.. it's a medium sized setup
> > 500 users at max..
> >
> > So ther can be users that haven't changed their passwords
> in the last
> > 6 months.. but this tool also uses last logon right ??? that might
> > help...any concerns while running this tool ??
> >
> >
> > Regards,
> > Zaid Umer Farooqui
> > Network Engineer
> > MIS Department
> > =============================
> > Dawlance Center (Head Office) ,
> > 7/4, Civil Lines 9,
> > Dr. Ziauddin Ahmed Road,
> > Karachi.
> > Office: 021-5652450 (Ext 2456)
> > Cell: 0321-2108096
> > -----Original Message-----
> > From: ActiveDir-owner@mail.activedir.org
> > [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Tomasz
> > Onyszko
> > Sent: Tuesday, July 10, 2007 2:11 PM
> > To: ActiveDir@mail.activedir.org
> > Subject: Re: [ActiveDir] Find inactive COMPUTER accounts
> >
> > Lee, Ricky wrote:
> > > You may also consider checking the passwordLastChange
> attribute for
> > > computer objects in AD.
> >
> > hmmm... passwordLastSet and this is what oldcmp.exe does actually
> >
> > --
> > Tomasz Onyszko
> > http://www.w2k.pl/ - (PL)
> > http://blogs.dirteam.com/blogs/tomek/ - (EN)
> > List info : http://www.activedir.org/List.aspx
> > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > List archive: http://www.activedir.org/ma/default.aspx
> >
> >
> >
> >
> > List info : http://www.activedir.org/List.aspx
> > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > List archive: http://www.activedir.org/ma/default.aspx
> >
> >
>
>
> **********************************************************************
> This email, and any files transmitted with it, is
> confidential and intended solely for the use of the
> individual or entity to whom they are addressed. As a public
> body, the Council may be required to disclose this email, or
> any response to it, under the Freedom of Information Act
> 2000, unless the information in it is covered by one of the
> exemptions in the Act.
>
> If you receive this email in error please notify Stockport
> e-Services via email.query@stockport.gov.uk and then
> permanently remove it from your system.
>
> Thank you.
>
> http://www.stockport.gov.uk
> **********************************************************************
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
>
>
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx | | | |
|
|