| Author | Messages | |
zaidumer
Posts:0
 | | 07/10/2007 4:32 AM |
| st1\:*{behavior:url(#default#ieooui) }
Hi all..
Is there any way to find out which COMPUTER account is
inactive.. lets say if a machine was disjoined of removed from the domain and
the computer account was not removed..
Is there a scrip to find out the computer accounts that are
inactive..??
P.S : domain is Windws2003.
Thanks..
Regards,
Zaid Umer Farooqui
Network Engineer
MIS Department
=============================
DawlanceCenter (Head Office) ,
7/4, Civil
Lines 9,
Dr. Ziauddin Ahmed Road,
Karachi.
Office:
021-5652450 (Ext 2456)
Cell:
0321-2108096 | | | |
| 4u3u
Posts:0
| | 07/10/2007 3:21 AM |
| What I was using is whenChanged attribute. It is changed when any of
attribute of account is changed so there's no need to check for pwdLastSet
and LastLogonTimeStamp separately. If it's old, you're can be certain that
nobody/nothing has updated any attributes of this account for long time.
--
Alexander Sukhovey
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: Tuesday, July 10, 2007 5:13 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Find inactive COMPUTER accounts
Computers are subclass of user meaning they have the same attributes
available. The pwdLastSet is available for users and computers only
computers aren't required to change their passwords. They just do it
optionally. It can be disabled in various ways. You also have
lastLogonTimeStamp that is available in DFL2 mode as mentioned. This is the
replicated (until LH) form of last logon. OldCmp will use either method, by
default it will use pwdLastSet but you can use the -llts to use
lastLogonTimeStamp.
All that being said, there is NO GUARANTEED way of finding inactive
computers because there is no single attribute that can prove that fact.
That is why I have tons of safeties and you aren't allowed to just delete
computers right away, you have to at least disable them first.
Items I know for a fact that can cause issues here
O VPN software can cause passwords to not be changed and occasionally I hear
how the last logon attributes are also not updated.
O Cluster accounts do not update the fields.
For items like that you need to mark them in some way that oldcmp (or
anything) can identify them and skip them. I recommend setting up a new
attribute or putting something in the description or what not and then using
the -af switch to add to the filter to avoid those objects.
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Zaid Umer Farooqui
Sent: Tuesday, July 10, 2007 5:43 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Find inactive COMPUTER accounts
Ooo so the last password change parameter is for the computer accounts
themselves .. sorry :p I misunderstood them for user account passwords ..
got it thanks :-)
Regards,
Zaid Umer Farooqui
Network Engineer
MIS Department
=============================
Dawlance Center (Head Office) ,
7/4, Civil Lines 9,
Dr. Ziauddin Ahmed Road,
Karachi.
Office: 021-5652450 (Ext 2456)
Cell: 0321-2108096
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Dave Wade
Sent: Tuesday, July 10, 2007 2:42 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Find inactive COMPUTER accounts
Computers have passwords too. They manage them themselves. They change
them from time to time. When they are not used, they can't change them.
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Zaid
> Umer Farooqui
> Sent: 10 July 2007 10:25
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Find inactive COMPUTER accounts
>
> We let users manage their own passwords.. it's a medium sized
> setup 500 users at max..
>
> So ther can be users that haven't changed their passwords in
> the last 6 months.. but this tool also uses last logon right
> ??? that might help...any concerns while running this tool ??
>
>
> Regards,
> Zaid Umer Farooqui
> Network Engineer
> MIS Department
> =============================
> Dawlance Center (Head Office) ,
> 7/4, Civil Lines 9,
> Dr. Ziauddin Ahmed Road,
> Karachi.
> Office: 021-5652450 (Ext 2456)
> Cell: 0321-2108096
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
> Tomasz Onyszko
> Sent: Tuesday, July 10, 2007 2:11 PM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] Find inactive COMPUTER accounts
>
> Lee, Ricky wrote:
> > You may also consider checking the passwordLastChange attribute for
> > computer objects in AD.
>
> hmmm... passwordLastSet and this is what oldcmp.exe does actually
>
> --
> Tomasz Onyszko
> http://www.w2k.pl/ - (PL)
> http://blogs.dirteam.com/blogs/tomek/ - (EN)
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
>
>
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
>
**********************************************************************
This email, and any files transmitted with it, is confidential and
intended solely for the use of the individual or entity to whom they
are addressed. As a public body, the Council may be required to disclose
this email, or any response to it, under the Freedom of Information Act
2000, unless the information in it is covered by one of the exemptions in
the Act.
If you receive this email in error please notify Stockport e-Services via
email.query@stockport.gov.uk and then permanently remove it from your
system.
Thank you.
http://www.stockport.gov.uk
**********************************************************************
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx | | | |
| kashif_jamil
Posts:2
| | 07/10/2007 3:25 AM |
| Return Receipt
Your RE: [ActiveDir] Find inactive COMPUTER accounts
document:
was Kashif Jamil/Contractor/NPS
received
by:
at: 07/10/2007 03:25:07 PM EDT
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx | | | |
| TG
Posts:298
| | 07/10/2007 3:30 AM |
| Return Receipt
Your RE: [ActiveDir] Find inactive COMPUTER accounts
document:
was tony.gordon@hewitt.com
received
by:
at: 07/10/2007 02:30:08 PM
The information contained in this e-mail and any accompanying documents may contain information that is confidential or otherwise protected from disclosure. If you are not the intended recipient of this message, or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message, including any attachments. Any dissemination, distribution or other use of the contents of this message by anyone other than the intended recipient
is strictly prohibited.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx | | | |
| Khurshid_Anwar
Posts:0
| | 07/10/2007 4:26 AM |
| Return Receipt
Your RE: [ActiveDir] Find inactive COMPUTER accounts
document:
was Khurshid_Anwar@contractor.nps.gov
received
by:
at: 07/10/2007 04:26:30 PM EDT
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx | | | |
| listmail
Posts:822
| | 07/10/2007 4:38 AM |
| Its also changed when you build a new DC, i.e. every object will have a time
stamp for whenchanged that is after the DC was built. Plus this attribute
ISN'T replicated so you properly would need to ask every DC for it just like
lastlogon.
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Alexander Sukhovey
Sent: Tuesday, July 10, 2007 3:22 PM
To: ActiveDir@mail.activedir.org
Cc: 'Alexander Sukhovey'
Subject: RE: [ActiveDir] Find inactive COMPUTER accounts
What I was using is whenChanged attribute. It is changed when any of
attribute of account is changed so there's no need to check for pwdLastSet
and LastLogonTimeStamp separately. If it's old, you're can be certain that
nobody/nothing has updated any attributes of this account for long time.
--
Alexander Sukhovey
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: Tuesday, July 10, 2007 5:13 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Find inactive COMPUTER accounts
Computers are subclass of user meaning they have the same attributes
available. The pwdLastSet is available for users and computers only
computers aren't required to change their passwords. They just do it
optionally. It can be disabled in various ways. You also have
lastLogonTimeStamp that is available in DFL2 mode as mentioned. This is the
replicated (until LH) form of last logon. OldCmp will use either method, by
default it will use pwdLastSet but you can use the -llts to use
lastLogonTimeStamp.
All that being said, there is NO GUARANTEED way of finding inactive
computers because there is no single attribute that can prove that fact.
That is why I have tons of safeties and you aren't allowed to just delete
computers right away, you have to at least disable them first.
Items I know for a fact that can cause issues here
O VPN software can cause passwords to not be changed and occasionally I hear
how the last logon attributes are also not updated.
O Cluster accounts do not update the fields.
For items like that you need to mark them in some way that oldcmp (or
anything) can identify them and skip them. I recommend setting up a new
attribute or putting something in the description or what not and then using
the -af switch to add to the filter to avoid those objects.
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Zaid Umer Farooqui
Sent: Tuesday, July 10, 2007 5:43 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Find inactive COMPUTER accounts
Ooo so the last password change parameter is for the computer accounts
themselves .. sorry :p I misunderstood them for user account passwords ..
got it thanks :-)
Regards,
Zaid Umer Farooqui
Network Engineer
MIS Department
=============================
Dawlance Center (Head Office) ,
7/4, Civil Lines 9,
Dr. Ziauddin Ahmed Road,
Karachi.
Office: 021-5652450 (Ext 2456)
Cell: 0321-2108096
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Dave Wade
Sent: Tuesday, July 10, 2007 2:42 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Find inactive COMPUTER accounts
Computers have passwords too. They manage them themselves. They change
them from time to time. When they are not used, they can't change them.
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Zaid
> Umer Farooqui
> Sent: 10 July 2007 10:25
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Find inactive COMPUTER accounts
>
> We let users manage their own passwords.. it's a medium sized
> setup 500 users at max..
>
> So ther can be users that haven't changed their passwords in
> the last 6 months.. but this tool also uses last logon right
> ??? that might help...any concerns while running this tool ??
>
>
> Regards,
> Zaid Umer Farooqui
> Network Engineer
> MIS Department
> =============================
> Dawlance Center (Head Office) ,
> 7/4, Civil Lines 9,
> Dr. Ziauddin Ahmed Road,
> Karachi.
> Office: 021-5652450 (Ext 2456)
> Cell: 0321-2108096
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
> Tomasz Onyszko
> Sent: Tuesday, July 10, 2007 2:11 PM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] Find inactive COMPUTER accounts
>
> Lee, Ricky wrote:
> > You may also consider checking the passwordLastChange attribute for
> > computer objects in AD.
>
> hmmm... passwordLastSet and this is what oldcmp.exe does actually
>
> --
> Tomasz Onyszko
> http://www.w2k.pl/ - (PL)
> http://blogs.dirteam.com/blogs/tomek/ - (EN)
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
>
>
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
>
**********************************************************************
This email, and any files transmitted with it, is confidential and
intended solely for the use of the individual or entity to whom they
are addressed. As a public body, the Council may be required to disclose
this email, or any response to it, under the Freedom of Information Act
2000, unless the information in it is covered by one of the exemptions in
the Act.
If you receive this email in error please notify Stockport e-Services via
email.query@stockport.gov.uk and then permanently remove it from your
system.
Thank you.
http://www.stockport.gov.uk
**********************************************************************
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx | | | |
| tonyszko
Posts:140
| | 07/10/2007 4:39 AM |
| Zaid Umer Farooqui wrote:
> Hi all..
>
>
>
>
>
> Is there any way to find out which COMPUTER account is inactive.. lets
> say if a machine was disjoined of removed from the domain and the
> computer account was not removed..
>
> Is there a scrip to find out the computer accounts that are inactive..??
>
>
http://www.joeware.net/freetools/tools/oldcmp/index.htm
--
Tomasz Onyszko
http://www.w2k.pl/ - (PL)
http://blogs.dirteam.com/blogs/tomek/ - (EN)
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx | | | |
| RickyLee
Posts:0
| | 07/10/2007 4:43 AM |
| You may also consider checking the passwordLastChange attribute for
computer objects in AD.
Ricky Lee
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Tomasz Onyszko
Sent: Tuesday, July 10, 2007 4:40 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Find inactive COMPUTER accounts
Zaid Umer Farooqui wrote:
> Hi all..
>
>
>
>
>
> Is there any way to find out which COMPUTER account is inactive.. lets
> say if a machine was disjoined of removed from the domain and the
> computer account was not removed..
>
> Is there a scrip to find out the computer accounts that are
inactive..??
>
>
http://www.joeware.net/freetools/tools/oldcmp/index.htm
--
Tomasz Onyszko
http://www.w2k.pl/ - (PL)
http://blogs.dirteam.com/blogs/tomek/ - (EN)
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx | | | |
| paultwilliams
Posts:0
| | 07/10/2007 5:10 AM |
| Google OLDCMP. It’s a free tool written by
joe, located at www.joeware.net
--Paul
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Zaid Umer
Farooqui
Sent: 10 July 2007 09:32
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Find inactive COMPUTER accounts
Hi
all..
Is
there any way to find out which COMPUTER account is inactive.. lets say if a
machine was disjoined of removed from the domain and the computer account was
not removed..
Is
there a scrip to find out the computer accounts that are inactive..??
P.S
: domain is Windws2003.
Thanks..
Regards,
Zaid Umer Farooqui
Network Engineer
MIS Department
=============================
DawlanceCenter (Head Office) ,
7/4, Civil Lines 9,
Dr. Ziauddin Ahmed Road,
Karachi.
Office: 021-5652450 (Ext 2456)
Cell: 0321-2108096 | | | |
| tonyszko
Posts:140
| | 07/10/2007 5:10 AM |
| Lee, Ricky wrote:
> You may also consider checking the passwordLastChange attribute for
> computer objects in AD.
hmmm... passwordLastSet and this is what oldcmp.exe does actually
--
Tomasz Onyszko
http://www.w2k.pl/ - (PL)
http://blogs.dirteam.com/blogs/tomek/ - (EN)
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx | | | |
| zaidumer
Posts:0
| | 07/10/2007 5:24 AM |
| We let users manage their own passwords.. it's a medium sized setup 500 users at max..
So ther can be users that haven't changed their passwords in the last 6 months.. but this tool also uses last logon right ??? that might help...any concerns while running this tool ??
Regards,
Zaid Umer Farooqui
Network Engineer
MIS Department
=============================
Dawlance Center (Head Office) ,
7/4, Civil Lines 9,
Dr. Ziauddin Ahmed Road,
Karachi.
Office: 021-5652450 (Ext 2456)
Cell: 0321-2108096
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Tomasz Onyszko
Sent: Tuesday, July 10, 2007 2:11 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Find inactive COMPUTER accounts
Lee, Ricky wrote:
> You may also consider checking the passwordLastChange attribute for
> computer objects in AD.
hmmm... passwordLastSet and this is what oldcmp.exe does actually
--
Tomasz Onyszko
http://www.w2k.pl/ - (PL)
http://blogs.dirteam.com/blogs/tomek/ - (EN)
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx | | | |
| mkline
Posts:83
| | 07/10/2007 5:26 AM |
| In a W2K3 domain functional level you can key off pwdLastSet or lastLogonTimestamp so Zaid has a few options.
Joe has also put a ton of safeties in this tool which is a very good thing.
On 7/10/07, Tomasz Onyszko wrote:
Lee, Ricky wrote:> You may also consider checking the passwordLastChange attribute for> computer objects in AD.
hmmm... passwordLastSet and this is what oldcmp.exe does actually--Tomasz Onyszkohttp://www.w2k.pl/ - (PL)http://blogs.dirteam.com/blogs/tomek/
- (EN)List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx | | | |
| mkline
Posts:83
| | 07/10/2007 5:34 AM |
| Zaid, the tool can be used to check for users but the default is to check for computers which is what I think you wanted to check.
The user passwords and computer passwords are different so you don't need to worry about that.
Just look at the examples that Joe has listed and you will see that there are no concerns because of all the safety locks he has on it.
On 7/10/07, Zaid Umer Farooqui wrote:
We let users manage their own passwords.. it's a medium sized setup 500 users at max..So ther can be users that haven't changed their passwords in the last 6 months.. but this tool also uses last logon right ??? that might help...any concerns while running this tool ??
Regards,Zaid Umer FarooquiNetwork EngineerMIS Department=============================Dawlance Center (Head Office) ,7/4, Civil Lines 9,Dr. Ziauddin Ahmed Road,Karachi.Office: 021-5652450 (Ext 2456)
Cell: 0321-2108096-----Original Message-----From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org
] On Behalf Of Tomasz OnyszkoSent: Tuesday, July 10, 2007 2:11 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Find inactive COMPUTER accounts
Lee, Ricky wrote:> You may also consider checking the passwordLastChange attribute for> computer objects in AD.hmmm... passwordLastSet and this is what oldcmp.exe does actually--Tomasz Onyszko
http://www.w2k.pl/ - (PL)http://blogs.dirteam.com/blogs/tomek/ - (EN)List info :
http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx | | | |
| davewade
Posts:116
| | 07/10/2007 5:41 AM |
| Computers have passwords too. They manage them themselves. They change
them from time to time. When they are not used, they can't change them.
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Zaid
> Umer Farooqui
> Sent: 10 July 2007 10:25
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Find inactive COMPUTER accounts
>
> We let users manage their own passwords.. it's a medium sized
> setup 500 users at max..
>
> So ther can be users that haven't changed their passwords in
> the last 6 months.. but this tool also uses last logon right
> ??? that might help...any concerns while running this tool ??
>
>
> Regards,
> Zaid Umer Farooqui
> Network Engineer
> MIS Department
> =============================
> Dawlance Center (Head Office) ,
> 7/4, Civil Lines 9,
> Dr. Ziauddin Ahmed Road,
> Karachi.
> Office: 021-5652450 (Ext 2456)
> Cell: 0321-2108096
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
> Tomasz Onyszko
> Sent: Tuesday, July 10, 2007 2:11 PM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] Find inactive COMPUTER accounts
>
> Lee, Ricky wrote:
> > You may also consider checking the passwordLastChange attribute for
> > computer objects in AD.
>
> hmmm... passwordLastSet and this is what oldcmp.exe does actually
>
> --
> Tomasz Onyszko
> http://www.w2k.pl/ - (PL)
> http://blogs.dirteam.com/blogs/tomek/ - (EN)
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
>
>
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
>
**********************************************************************
This email, and any files transmitted with it, is confidential and
intended solely for the use of the individual or entity to whom they
are addressed. As a public body, the Council may be required to disclose this email, or any response to it, under the Freedom of Information Act 2000, unless the information in it is covered by one of the exemptions in the Act.
If you receive this email in error please notify Stockport e-Services via email.query@stockport.gov.uk and then permanently remove it from your system.
Thank you.
http://www.stockport.gov.uk
**********************************************************************
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx | | | |
| zaidumer
Posts:0
| | 07/10/2007 5:43 AM |
| Ooo so the last password change parameter is for the computer accounts themselves .. sorry :p I misunderstood them for user account passwords .. got it thanks :-)
Regards,
Zaid Umer Farooqui
Network Engineer
MIS Department
=============================
Dawlance Center (Head Office) ,
7/4, Civil Lines 9,
Dr. Ziauddin Ahmed Road,
Karachi.
Office: 021-5652450 (Ext 2456)
Cell: 0321-2108096
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Dave Wade
Sent: Tuesday, July 10, 2007 2:42 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Find inactive COMPUTER accounts
Computers have passwords too. They manage them themselves. They change
them from time to time. When they are not used, they can't change them.
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Zaid
> Umer Farooqui
> Sent: 10 July 2007 10:25
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Find inactive COMPUTER accounts
>
> We let users manage their own passwords.. it's a medium sized
> setup 500 users at max..
>
> So ther can be users that haven't changed their passwords in
> the last 6 months.. but this tool also uses last logon right
> ??? that might help...any concerns while running this tool ??
>
>
> Regards,
> Zaid Umer Farooqui
> Network Engineer
> MIS Department
> =============================
> Dawlance Center (Head Office) ,
> 7/4, Civil Lines 9,
> Dr. Ziauddin Ahmed Road,
> Karachi.
> Office: 021-5652450 (Ext 2456)
> Cell: 0321-2108096
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
> Tomasz Onyszko
> Sent: Tuesday, July 10, 2007 2:11 PM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] Find inactive COMPUTER accounts
>
> Lee, Ricky wrote:
> > You may also consider checking the passwordLastChange attribute for
> > computer objects in AD.
>
> hmmm... passwordLastSet and this is what oldcmp.exe does actually
>
> --
> Tomasz Onyszko
> http://www.w2k.pl/ - (PL)
> http://blogs.dirteam.com/blogs/tomek/ - (EN)
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
>
>
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
>
**********************************************************************
This email, and any files transmitted with it, is confidential and
intended solely for the use of the individual or entity to whom they
are addressed. As a public body, the Council may be required to disclose this email, or any response to it, under the Freedom of Information Act 2000, unless the information in it is covered by one of the exemptions in the Act.
If you receive this email in error please notify Stockport e-Services via email.query@stockport.gov.uk and then permanently remove it from your system.
Thank you.
http://www.stockport.gov.uk
**********************************************************************
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx | | | |
| bcline
Posts:0
| | 07/10/2007 8:16 AM |
| 1024x768
Clean
false
false
false
EN-US
JA
X-NONE
MicrosoftInternetExplorer4
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:"Times New Roman","serif";}
Here’s what I use: http://www.joeware.net/freetools/tools/oldcmp/index.htm
Not exactly a script, but scriptable
and flexible. It would also be a fairly easy LDAP query to construct if you
were doing via vbscript. Here’s an example,
though I cannot vouch for its accuracy or reliability: http://www.tek-tips.com/viewthread.cfm?qid=1092019&page=7
Brian Cline, Business
Systems Analyst
Department of Information Technology
G&P Trucking Company, Inc.
803.936.8595 Direct
803.739.1176 Fax
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Zaid Umer
Farooqui
Sent: Tuesday, July 10, 2007 4:32 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Find inactive COMPUTER accounts
Hi
all..
Is
there any way to find out which COMPUTER account is inactive.. lets say if a
machine was disjoined of removed from the domain and the computer account was
not removed..
Is
there a scrip to find out the computer accounts that are inactive..??
P.S
: domain is Windws2003.
Thanks..
Regards,
Zaid Umer Farooqui
Network Engineer
MIS Department
=============================
DawlanceCenter (Head Office) ,
7/4, Civil Lines 9,
Dr. Ziauddin Ahmed Road,
Karachi.
Office: 021-5652450 (Ext 2456)
Cell: 0321-2108096 | | | |
| bcline
Posts:0
| | 07/10/2007 8:22 AM |
| 1024x768
Clean
false
false
false
EN-US
JA
X-NONE
MicrosoftInternetExplorer4
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:"Times New Roman","serif";}
Oops. Forgot to mention that’s actually
the time/date conversion piece you’d need. The LDAP query is really as simple
as: (&(objectClass=computer)(pwdLastSet<=InsanelyLongInteger))
Brian Cline, Business Systems Analyst
Department of Information Technology
G&P Trucking Company, Inc.
803.936.8595 Direct
803.739.1176 Fax
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Brian Cline
Sent: Tuesday, July 10, 2007 8:17 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Find inactive COMPUTER accounts
Here’s
what I use: http://www.joeware.net/freetools/tools/oldcmp/index.htm
Not
exactly a script, but scriptable and flexible. It would also be a fairly easy
LDAP query to construct if you were doing via vbscript. Here’s an example,
though I cannot vouch for its accuracy or reliability: http://www.tek-tips.com/viewthread.cfm?qid=1092019&page=7
Brian Cline, Business Systems Analyst
Department of Information Technology
G&P Trucking Company, Inc.
803.936.8595 Direct
803.739.1176 Fax
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Zaid Umer Farooqui
Sent: Tuesday, July 10, 2007 4:32 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Find inactive COMPUTER accounts
Hi
all..
Is
there any way to find out which COMPUTER account is inactive.. lets say if a
machine was disjoined of removed from the domain and the computer account was
not removed..
Is
there a scrip to find out the computer accounts that are inactive..??
P.S
: domain is Windws2003.
Thanks..
Regards,
Zaid Umer Farooqui
Network Engineer
MIS Department
=============================
DawlanceCenter (Head Office) ,
7/4, Civil Lines 9,
Dr. Ziauddin Ahmed Road,
Karachi.
Office: 021-5652450 (Ext 2456)
Cell: 0321-2108096 | | | |
| listmail
Posts:822
| | 07/10/2007 9:12 AM |
| Computers are subclass of user meaning they have the same attributes
available. The pwdLastSet is available for users and computers only
computers aren't required to change their passwords. They just do it
optionally. It can be disabled in various ways. You also have
lastLogonTimeStamp that is available in DFL2 mode as mentioned. This is the
replicated (until LH) form of last logon. OldCmp will use either method, by
default it will use pwdLastSet but you can use the -llts to use
lastLogonTimeStamp.
All that being said, there is NO GUARANTEED way of finding inactive
computers because there is no single attribute that can prove that fact.
That is why I have tons of safeties and you aren't allowed to just delete
computers right away, you have to at least disable them first.
Items I know for a fact that can cause issues here
O VPN software can cause passwords to not be changed and occasionally I hear
how the last logon attributes are also not updated.
O Cluster accounts do not update the fields.
For items like that you need to mark them in some way that oldcmp (or
anything) can identify them and skip them. I recommend setting up a new
attribute or putting something in the description or what not and then using
the -af switch to add to the filter to avoid those objects.
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Zaid Umer Farooqui
Sent: Tuesday, July 10, 2007 5:43 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Find inactive COMPUTER accounts
Ooo so the last password change parameter is for the computer accounts
themselves .. sorry :p I misunderstood them for user account passwords ..
got it thanks :-)
Regards,
Zaid Umer Farooqui
Network Engineer
MIS Department
=============================
Dawlance Center (Head Office) ,
7/4, Civil Lines 9,
Dr. Ziauddin Ahmed Road,
Karachi.
Office: 021-5652450 (Ext 2456)
Cell: 0321-2108096
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Dave Wade
Sent: Tuesday, July 10, 2007 2:42 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Find inactive COMPUTER accounts
Computers have passwords too. They manage them themselves. They change
them from time to time. When they are not used, they can't change them.
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Zaid
> Umer Farooqui
> Sent: 10 July 2007 10:25
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Find inactive COMPUTER accounts
>
> We let users manage their own passwords.. it's a medium sized
> setup 500 users at max..
>
> So ther can be users that haven't changed their passwords in
> the last 6 months.. but this tool also uses last logon right
> ??? that might help...any concerns while running this tool ??
>
>
> Regards,
> Zaid Umer Farooqui
> Network Engineer
> MIS Department
> =============================
> Dawlance Center (Head Office) ,
> 7/4, Civil Lines 9,
> Dr. Ziauddin Ahmed Road,
> Karachi.
> Office: 021-5652450 (Ext 2456)
> Cell: 0321-2108096
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
> Tomasz Onyszko
> Sent: Tuesday, July 10, 2007 2:11 PM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] Find inactive COMPUTER accounts
>
> Lee, Ricky wrote:
> > You may also consider checking the passwordLastChange attribute for
> > computer objects in AD.
>
> hmmm... passwordLastSet and this is what oldcmp.exe does actually
>
> --
> Tomasz Onyszko
> http://www.w2k.pl/ - (PL)
> http://blogs.dirteam.com/blogs/tomek/ - (EN)
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
>
>
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
>
**********************************************************************
This email, and any files transmitted with it, is confidential and
intended solely for the use of the individual or entity to whom they
are addressed. As a public body, the Council may be required to disclose
this email, or any response to it, under the Freedom of Information Act
2000, unless the information in it is covered by one of the exemptions in
the Act.
If you receive this email in error please notify Stockport e-Services via
email.query@stockport.gov.uk and then permanently remove it from your
system.
Thank you.
http://www.stockport.gov.uk
**********************************************************************
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx | | | |
| listmail
Posts:822
| | 07/10/2007 9:13 AM |
| 1024x768
Clean
false
false
false
EN-US
JA
X-NONE
MicrosoftInternetExplorer4
@font-face {
font-family: MS Mincho;
}
@font-face {
font-family: Cambria Math;
}
@font-face {
font-family: Calibri;
}
@font-face {
font-family: Tahoma;
}
@font-face {
font-family: @MS Mincho;
}
@font-face {
font-family: Bookman Old Style;
}
@font-face {
font-family: Book Antiqua;
}
@page Section1 {size: 8.5in 11.0in; margin: 1.0in 1.25in 1.0in 1.25in; mso-header-margin: .5in; mso-footer-margin: .5in; mso-paper-source: 0; }
P.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman","serif"; mso-style-unhide: no; mso-style-qformat: yes; mso-style-parent: ""; mso-pagination: widow-orphan; mso-fareast-font-family: "MS Mincho"
}
LI.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman","serif"; mso-style-unhide: no; mso-style-qformat: yes; mso-style-parent: ""; mso-pagination: widow-orphan; mso-fareast-font-family: "MS Mincho"
}
DIV.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman","serif"; mso-style-unhide: no; mso-style-qformat: yes; mso-style-parent: ""; mso-pagination: widow-orphan; mso-fareast-font-family: "MS Mincho"
}
A:link {
COLOR: blue; TEXT-DECORATION: underline; mso-style-noshow: yes; mso-style-priority: 99; text-underline: single
}
SPAN.MsoHyperlink {
COLOR: blue; TEXT-DECORATION: underline; mso-style-noshow: yes; mso-style-priority: 99; text-underline: single
}
A:visited {
COLOR: purple; TEXT-DECORATION: underline; mso-style-noshow: yes; mso-style-priority: 99; text-underline: single
}
SPAN.MsoHyperlinkFollowed {
COLOR: purple; TEXT-DECORATION: underline; mso-style-noshow: yes; mso-style-priority: 99; text-underline: single
}
SPAN.EmailStyle17 {
COLOR: windowtext; FONT-FAMILY: "Arial","sans-serif"; mso-bidi-font-family: Arial; mso-style-unhide: no; mso-style-noshow: yes; mso-style-type: personal; mso-ascii-font-family: Arial; mso-hansi-font-family: Arial
}
SPAN.EmailStyle18 {
COLOR: windowtext; FONT-FAMILY: "Calibri","sans-serif"; mso-bidi-font-family: "Times New Roman"; mso-style-unhide: no; mso-style-noshow: yes; mso-style-type: personal; mso-ascii-font-family: Calibri; mso-hansi-font-family: Calibri; mso-ansi-font-size: 11.0pt; mso-bidi-font-size: 11.0pt
}
SPAN.EmailStyle20 {
COLOR: windowtext; FONT-FAMILY: "Calibri","sans-serif"; mso-bidi-font-family: "Times New Roman"; mso-style-unhide: no; mso-style-noshow: yes; mso-style-type: personal-reply; mso-ascii-font-family: Calibri; mso-hansi-font-family: Calibri; mso-ansi-font-size: 11.0pt; mso-bidi-font-size: 11.0pt
}
SPAN.SpellE {
mso-style-name: ""; mso-spl-e: yes
}
.MsoChpDefault {
FONT-SIZE: 10pt; mso-style-type: export-only; mso-ansi-font-size: 10.0pt; mso-bidi-font-size: 10.0pt; mso-default-props: yes
}
DIV.Section1 {
page: Section1
}
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:"Times New Roman","serif";}
You will want to use objectcategory instead of objectclass
unless you have indexed objectclass or are running LH.
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Brian
ClineSent: Tuesday, July 10, 2007 8:22 AMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Find inactive
COMPUTER accounts
Oops.
Forgot to mention that’s actually the time/date conversion piece you’d need. The
LDAP query is really as simple as:
(&(objectClass=computer)(pwdLastSet<=InsanelyLongInteger))
Brian
Cline, Business Systems AnalystDepartment of Information
TechnologyG&P Trucking Company, Inc.803.936.8595
Direct803.739.1176 Fax
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Brian ClineSent: Tuesday, July 10, 2007 8:17
AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir]
Find inactive COMPUTER accounts
Here’s what I
use: http://www.joeware.net/freetools/tools/oldcmp/index.htm
Not exactly a
script, but scriptable and flexible. It would also be a fairly easy LDAP query
to construct if you were doing via vbscript. Here’s an example, though I cannot
vouch for its accuracy or reliability: http://www.tek-tips.com/viewthread.cfm?qid=1092019&page=7
Brian
Cline, Business Systems AnalystDepartment of Information
TechnologyG&P Trucking Company, Inc.803.936.8595
Direct803.739.1176 Fax
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Zaid Umer FarooquiSent: Tuesday, July 10, 2007
4:32 AMTo: ActiveDir@mail.activedir.orgSubject:
[ActiveDir] Find inactive COMPUTER accounts
Hi
all..
Is there any way to
find out which COMPUTER account is inactive.. lets say if a machine was
disjoined of removed from the domain and the computer account was not
removed..
Is there a scrip to
find out the computer accounts that are inactive..??
P.S : domain is
Windws2003.
Thanks..
Regards,
Zaid
Umer
Farooqui
Network
Engineer
MIS
Department
=============================
DawlanceCenter
(Head Office) ,
7/4,
Civil Lines 9,
Dr.
Ziauddin Ahmed Road,
Karachi.
Office:
021-5652450 (Ext 2456)
Cell:
0321-2108096 | | | |
| bcline
Posts:0
| | 07/10/2007 9:36 AM |
| v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
1024x768
Clean
false
false
false
EN-US
JA
X-NONE
MicrosoftInternetExplorer4
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:"Times New Roman","serif";}
Good call, no wonder it was running so
slowly. Thanks.
Brian Cline, Business Systems Analyst
Department of Information Technology
G&P Trucking Company, Inc.
803.936.8595 Direct
803.739.1176 Fax
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of joe
Sent: Tuesday, July 10, 2007 9:13 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Find inactive COMPUTER accounts
You will want to use
objectcategory instead of objectclass unless you have indexed objectclass or
are running LH.
--
O'Reilly Active Directory
Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Brian Cline
Sent: Tuesday, July 10, 2007 8:22 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Find inactive COMPUTER accounts
Oops.
Forgot to mention that’s actually the time/date conversion piece you’d need.
The LDAP query is really as simple as: (&(objectClass=computer)(pwdLastSet<=InsanelyLongInteger))
Brian Cline, Business Systems Analyst
Department of Information Technology
G&P Trucking Company, Inc.
803.936.8595 Direct
803.739.1176 Fax
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Brian Cline
Sent: Tuesday, July 10, 2007 8:17 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Find inactive COMPUTER accounts
Here’s
what I use: http://www.joeware.net/freetools/tools/oldcmp/index.htm
Not
exactly a script, but scriptable and flexible. It would also be a fairly easy
LDAP query to construct if you were doing via vbscript. Here’s an example,
though I cannot vouch for its accuracy or reliability: http://www.tek-tips.com/viewthread.cfm?qid=1092019&page=7
Brian Cline, Business Systems Analyst
Department of Information Technology
G&P Trucking Company, Inc.
803.936.8595 Direct
803.739.1176 Fax
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Zaid Umer
Farooqui
Sent: Tuesday, July 10, 2007 4:32 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Find inactive COMPUTER accounts
Hi
all..
Is
there any way to find out which COMPUTER account is inactive.. lets say if a
machine was disjoined of removed from the domain and the computer account was
not removed..
Is
there a scrip to find out the computer accounts that are inactive..??
P.S
: domain is Windws2003.
Thanks..
Regards,
Zaid Umer Farooqui
Network Engineer
MIS Department
=============================
DawlanceCenter (Head Office) ,
7/4, Civil Lines 9,
Dr. Ziauddin Ahmed Road,
Karachi.
Office: 021-5652450 (Ext 2456)
Cell: 0321-2108096 | | | |
|
|