| Author | Messages | |
4u3u
Posts:0
 | | 07/10/2007 10:38 AM |
| What I was using is whenChanged attribute. It is changed when any of
attribute of account is changed so there's no need to check for pwdLastSet
and LastLogonTimeStamp separately. If it's old, you're can be certain that
nobody/nothing has updated any attributes of this account for long time.
--
Alexander Sukhovey
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: Tuesday, July 10, 2007 5:13 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Find inactive COMPUTER accounts
Computers are subclass of user meaning they have the same attributes
available. The pwdLastSet is available for users and computers only
computers aren't required to change their passwords. They just do it
optionally. It can be disabled in various ways. You also have
lastLogonTimeStamp that is available in DFL2 mode as mentioned. This is the
replicated (until LH) form of last logon. OldCmp will use either method, by
default it will use pwdLastSet but you can use the -llts to use
lastLogonTimeStamp.
All that being said, there is NO GUARANTEED way of finding inactive
computers because there is no single attribute that can prove that fact.
That is why I have tons of safeties and you aren't allowed to just delete
computers right away, you have to at least disable them first.
Items I know for a fact that can cause issues here
O VPN software can cause passwords to not be changed and occasionally I hear
how the last logon attributes are also not updated.
O Cluster accounts do not update the fields.
For items like that you need to mark them in some way that oldcmp (or
anything) can identify them and skip them. I recommend setting up a new
attribute or putting something in the description or what not and then using
the -af switch to add to the filter to avoid those objects.
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Zaid Umer Farooqui
Sent: Tuesday, July 10, 2007 5:43 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Find inactive COMPUTER accounts
Ooo so the last password change parameter is for the computer accounts
themselves .. sorry :p I misunderstood them for user account passwords ..
got it thanks :-)
Regards,
Zaid Umer Farooqui
Network Engineer
MIS Department
=============================
Dawlance Center (Head Office) ,
7/4, Civil Lines 9,
Dr. Ziauddin Ahmed Road,
Karachi.
Office: 021-5652450 (Ext 2456)
Cell: 0321-2108096
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Dave Wade
Sent: Tuesday, July 10, 2007 2:42 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Find inactive COMPUTER accounts
Computers have passwords too. They manage them themselves. They change
them from time to time. When they are not used, they can't change them.
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Zaid
> Umer Farooqui
> Sent: 10 July 2007 10:25
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Find inactive COMPUTER accounts
>
> We let users manage their own passwords.. it's a medium sized
> setup 500 users at max..
>
> So ther can be users that haven't changed their passwords in
> the last 6 months.. but this tool also uses last logon right
> ??? that might help...any concerns while running this tool ??
>
>
> Regards,
> Zaid Umer Farooqui
> Network Engineer
> MIS Department
> =============================
> Dawlance Center (Head Office) ,
> 7/4, Civil Lines 9,
> Dr. Ziauddin Ahmed Road,
> Karachi.
> Office: 021-5652450 (Ext 2456)
> Cell: 0321-2108096
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
> Tomasz Onyszko
> Sent: Tuesday, July 10, 2007 2:11 PM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] Find inactive COMPUTER accounts
>
> Lee, Ricky wrote:
> > You may also consider checking the passwordLastChange attribute for
> > computer objects in AD.
>
> hmmm... passwordLastSet and this is what oldcmp.exe does actually
>
> --
> Tomasz Onyszko
> http://www.w2k.pl/ - (PL)
> http://blogs.dirteam.com/blogs/tomek/ - (EN)
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
>
>
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
>
**********************************************************************
This email, and any files transmitted with it, is confidential and
intended solely for the use of the individual or entity to whom they
are addressed. As a public body, the Council may be required to disclose
this email, or any response to it, under the Freedom of Information Act
2000, unless the information in it is covered by one of the exemptions in
the Act.
If you receive this email in error please notify Stockport e-Services via
email.query@stockport.gov.uk and then permanently remove it from your
system.
Thank you.
http://www.stockport.gov.uk
**********************************************************************
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx | | | |
| dloder
Posts:131
| | 07/10/2007 10:49 AM |
| And realize that moving to Server 2008 won't magically
index objectclass for forests upgraded from earlier
versions. I bugged that in beta 3, but they closed
with "as designed". So only new Server 2008 forests
will automatically have objectclass indexed. Everyone
else will want to manually index that attribute, if
they have not done so already.
--- Brian Cline wrote:
> Good call, no wonder it was running so slowly.
> Thanks.
>
> Brian Cline, Business Systems Analyst
> Department of Information Technology
> G&P Trucking Company, Inc.
> 803.936.8595 Direct
> 803.739.1176 Fax
>
> From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On
> Behalf Of joe
> Sent: Tuesday, July 10, 2007 9:13 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Find inactive COMPUTER
> accounts
>
> You will want to use objectcategory instead of
> objectclass unless you
> have indexed objectclass or are running LH.
>
> --
> O'Reilly Active Directory Third Edition -
> http://www.joeware.net/win/ad3e.htm
>
>
>
> ________________________________
>
> From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On
> Behalf Of Brian Cline
> Sent: Tuesday, July 10, 2007 8:22 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Find inactive COMPUTER
> accounts
> Oops. Forgot to mention that's actually the
> time/date conversion piece
> you'd need. The LDAP query is really as simple as:
>
(&(objectClass=computer)(pwdLastSet
> Brian Cline, Business Systems Analyst
> Department of Information Technology
> G&P Trucking Company, Inc.
> 803.936.8595 Direct
> 803.739.1176 Fax
>
> From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On
> Behalf Of Brian Cline
> Sent: Tuesday, July 10, 2007 8:17 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Find inactive COMPUTER
> accounts
>
> Here's what I use:
>
http://www.joeware.net/freetools/tools/oldcmp/index.htm
>
> Not exactly a script, but scriptable and flexible.
> It would also be a
> fairly easy LDAP query to construct if you were
> doing via vbscript.
> Here's an example, though I cannot vouch for its
> accuracy or
> reliability:
>
http://www.tek-tips.com/viewthread.cfm?qid=1092019&page=7
>
>
> Brian Cline, Business Systems Analyst
> Department of Information Technology
> G&P Trucking Company, Inc.
> 803.936.8595 Direct
> 803.739.1176 Fax
>
> From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On
> Behalf Of Zaid Umer
> Farooqui
> Sent: Tuesday, July 10, 2007 4:32 AM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Find inactive COMPUTER accounts
>
> Hi all..
>
>
> Is there any way to find out which COMPUTER account
> is inactive.. lets
> say if a machine was disjoined of removed from the
> domain and the
> computer account was not removed..
> Is there a scrip to find out the computer accounts
> that are inactive..??
>
> P.S : domain is Windws2003.
>
> Thanks..
>
>
> Regards,
> Zaid Umer Farooqui
> Network Engineer
> MIS Department
> =============================
> Dawlance Center (Head Office) ,
> 7/4, Civil Lines 9,
> Dr. Ziauddin Ahmed Road,
> Karachi.
> Office: 021-5652450 (Ext 2456)
> Cell: 0321-2108096
>
>
____________________________________________________________________________________
Get your own web address.
Have a HUGE year through Yahoo! Small Business.
http://smallbusiness.yahoo.com/domains/?p=BESTDEAL
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx | | | |
| neilruston1
Posts:0
| | 07/10/2007 10:56 AM |
| ... You mean some people haven't done that yet!
:)
neil
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of David Loder
Sent: 10 July 2007 15:49
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Find inactive COMPUTER accounts
And realize that moving to Server 2008 won't magically index objectclass for
forests upgraded from earlier versions. I bugged that in beta 3, but they
closed with "as designed". So only new Server 2008 forests will
automatically have objectclass indexed. Everyone else will want to manually
index that attribute, if they have not done so already.
--- Brian Cline wrote:
> Good call, no wonder it was running so slowly.
> Thanks.
>
> Brian Cline, Business Systems Analyst
> Department of Information Technology
> G&P Trucking Company, Inc.
> 803.936.8595 Direct
> 803.739.1176 Fax
>
> From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
> Sent: Tuesday, July 10, 2007 9:13 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Find inactive COMPUTER accounts
>
> You will want to use objectcategory instead of objectclass unless you
> have indexed objectclass or are running LH.
>
> --
> O'Reilly Active Directory Third Edition -
> http://www.joeware.net/win/ad3e.htm
>
>
>
> ________________________________
>
> From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Brian Cline
> Sent: Tuesday, July 10, 2007 8:22 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Find inactive COMPUTER accounts Oops. Forgot
> to mention that's actually the time/date conversion piece you'd need.
> The LDAP query is really as simple as:
>
(&(objectClass=computer)(pwdLastSet
> Brian Cline, Business Systems Analyst
> Department of Information Technology
> G&P Trucking Company, Inc.
> 803.936.8595 Direct
> 803.739.1176 Fax
>
> From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Brian Cline
> Sent: Tuesday, July 10, 2007 8:17 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Find inactive COMPUTER accounts
>
> Here's what I use:
>
http://www.joeware.net/freetools/tools/oldcmp/index.htm
>
> Not exactly a script, but scriptable and flexible.
> It would also be a
> fairly easy LDAP query to construct if you were doing via vbscript.
> Here's an example, though I cannot vouch for its accuracy or
> reliability:
>
http://www.tek-tips.com/viewthread.cfm?qid=1092019&page=7
>
>
> Brian Cline, Business Systems Analyst
> Department of Information Technology
> G&P Trucking Company, Inc.
> 803.936.8595 Direct
> 803.739.1176 Fax
>
> From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Zaid Umer
> Farooqui
> Sent: Tuesday, July 10, 2007 4:32 AM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Find inactive COMPUTER accounts
>
> Hi all..
>
>
> Is there any way to find out which COMPUTER account is inactive.. lets
> say if a machine was disjoined of removed from the domain and the
> computer account was not removed..
> Is there a scrip to find out the computer accounts that are
> inactive..??
>
> P.S : domain is Windws2003.
>
> Thanks..
>
>
> Regards,
> Zaid Umer Farooqui
> Network Engineer
> MIS Department
> =============================
> Dawlance Center (Head Office) ,
> 7/4, Civil Lines 9,
> Dr. Ziauddin Ahmed Road,
> Karachi.
> Office: 021-5652450 (Ext 2456)
> Cell: 0321-2108096
>
>
_____________________________________________________________________________
_______
Get your own web address.
Have a HUGE year through Yahoo! Small Business.
http://smallbusiness.yahoo.com/domains/?p=BESTDEAL
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
This e-mail and any attachments are confidential and intended solely
for the addressee and may also be privileged or exempt from disclosure
under applicable law. If you are not the addressee, or have received
this e-mail in error, please notify the sender immediately, delete it
from your system and do not copy, disclose or otherwise act upon any
part of this e-mail or its attachments..
Internet communications are not guaranteed to be secure or virus-free.
The Barclays Group does not accept responsibility for any loss arising
from unauthorised access to, or interference with, any Internet
communications by any third party, or from the transmission of any
viruses. Replies to this e-mail may be monitored by the Barclays
Group for operational or business reasons..
Any opinion or other information in this e-mail or its attachments
that does not relate to the business of the Barclays Group is personal
to the sender and is not given or endorsed by the Barclays Group.
Barclays Bank PLC.Registered in England and Wales (registered no. 1026167).
Registered Office: 1 Churchill Place, London, E14 5HP, United Kingdom.
Barclays Bank PLC is authorised and regulated by the Financial Services Authority.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx | | | |
| baiken
Posts:0
| | 07/10/2007 11:23 AM |
| If you're a Win2k3 domain:
Dsquery.exe computer -inactive
To disable all PCs that have been inactive for 12 weeks:
dsquery.exe computer -inactive 12 | dsmod.exe computer -disabled yes
--
Brandon Aiken
CS/IT Systems Engineer
________________________________________
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Zaid Umer Farooqui
Sent: Tuesday, July 10, 2007 4:32 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Find inactive COMPUTER accounts
Hi all..
Is there any way to find out which COMPUTER account is inactive.. lets say if a machine was disjoined of removed from the domain and the computer account was not removed..
Is there a scrip to find out the computer accounts that are inactive..??
P.S : domain is Windws2003.
Thanks..
Regards,
Zaid Umer Farooqui
Network Engineer
MIS Department
=============================
Dawlance Center (Head Office) ,
7/4, Civil Lines 9,
Dr. Ziauddin Ahmed Road,
Karachi.
Office: 021-5652450 (Ext 2456)
Cell: 0321-2108096
** LEGAL DISCLAIMER **
Statements made in this e-mail may or may not reflect the views and
opinions of Wineman Technology, Inc. or its employees.
This e-mail message and any attachments may contain legally privileged,
confidential or proprietary information. If you are not the intended
recipient(s), or the employee or agent responsible for delivery of
this message to the intended recipient(s), you are hereby notified
that any dissemination, distribution or copying of this e-mail
message is strictly prohibited. If you have received this message in
error, please immediately notify the sender and delete this e-mail
message from your computer.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx | | | |
| 4u3u
Posts:0
| | 07/11/2007 1:12 AM |
| Thanks for pointing that out. I see you've even blogging on this topic:
http://blog.joeware.net/2006/10/03/655/
But in case of inactive computer accounts... wouldn't whenChanged be updated
when other attributes (like pwdLastSet) replicate to other DCs?.. I agree
though that it will be less accurate especially in large environments.
--
Alexander Sukhovey
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: Wednesday, July 11, 2007 12:39 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Find inactive COMPUTER accounts
Its also changed when you build a new DC, i.e. every object will have a time
stamp for whenchanged that is after the DC was built. Plus this attribute
ISN'T replicated so you properly would need to ask every DC for it just like
lastlogon.
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Alexander Sukhovey
Sent: Tuesday, July 10, 2007 3:22 PM
To: ActiveDir@mail.activedir.org
Cc: 'Alexander Sukhovey'
Subject: RE: [ActiveDir] Find inactive COMPUTER accounts
What I was using is whenChanged attribute. It is changed when any of
attribute of account is changed so there's no need to check for pwdLastSet
and LastLogonTimeStamp separately. If it's old, you're can be certain that
nobody/nothing has updated any attributes of this account for long time.
--
Alexander Sukhovey
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: Tuesday, July 10, 2007 5:13 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Find inactive COMPUTER accounts
Computers are subclass of user meaning they have the same attributes
available. The pwdLastSet is available for users and computers only
computers aren't required to change their passwords. They just do it
optionally. It can be disabled in various ways. You also have
lastLogonTimeStamp that is available in DFL2 mode as mentioned. This is the
replicated (until LH) form of last logon. OldCmp will use either method, by
default it will use pwdLastSet but you can use the -llts to use
lastLogonTimeStamp.
All that being said, there is NO GUARANTEED way of finding inactive
computers because there is no single attribute that can prove that fact.
That is why I have tons of safeties and you aren't allowed to just delete
computers right away, you have to at least disable them first.
Items I know for a fact that can cause issues here
O VPN software can cause passwords to not be changed and occasionally I hear
how the last logon attributes are also not updated.
O Cluster accounts do not update the fields.
For items like that you need to mark them in some way that oldcmp (or
anything) can identify them and skip them. I recommend setting up a new
attribute or putting something in the description or what not and then using
the -af switch to add to the filter to avoid those objects.
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Zaid Umer Farooqui
Sent: Tuesday, July 10, 2007 5:43 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Find inactive COMPUTER accounts
Ooo so the last password change parameter is for the computer accounts
themselves .. sorry :p I misunderstood them for user account passwords ..
got it thanks :-)
Regards,
Zaid Umer Farooqui
Network Engineer
MIS Department
=============================
Dawlance Center (Head Office) ,
7/4, Civil Lines 9,
Dr. Ziauddin Ahmed Road,
Karachi.
Office: 021-5652450 (Ext 2456)
Cell: 0321-2108096
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Dave Wade
Sent: Tuesday, July 10, 2007 2:42 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Find inactive COMPUTER accounts
Computers have passwords too. They manage them themselves. They change
them from time to time. When they are not used, they can't change them.
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Zaid
> Umer Farooqui
> Sent: 10 July 2007 10:25
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Find inactive COMPUTER accounts
>
> We let users manage their own passwords.. it's a medium sized
> setup 500 users at max..
>
> So ther can be users that haven't changed their passwords in
> the last 6 months.. but this tool also uses last logon right
> ??? that might help...any concerns while running this tool ??
>
>
> Regards,
> Zaid Umer Farooqui
> Network Engineer
> MIS Department
> =============================
> Dawlance Center (Head Office) ,
> 7/4, Civil Lines 9,
> Dr. Ziauddin Ahmed Road,
> Karachi.
> Office: 021-5652450 (Ext 2456)
> Cell: 0321-2108096
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
> Tomasz Onyszko
> Sent: Tuesday, July 10, 2007 2:11 PM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] Find inactive COMPUTER accounts
>
> Lee, Ricky wrote:
> > You may also consider checking the passwordLastChange attribute for
> > computer objects in AD.
>
> hmmm... passwordLastSet and this is what oldcmp.exe does actually
>
> --
> Tomasz Onyszko
> http://www.w2k.pl/ - (PL)
> http://blogs.dirteam.com/blogs/tomek/ - (EN)
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
>
>
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
>
**********************************************************************
This email, and any files transmitted with it, is confidential and
intended solely for the use of the individual or entity to whom they
are addressed. As a public body, the Council may be required to disclose
this email, or any response to it, under the Freedom of Information Act
2000, unless the information in it is covered by one of the exemptions in
the Act.
If you receive this email in error please notify Stockport e-Services via
email.query@stockport.gov.uk and then permanently remove it from your
system.
Thank you.
http://www.stockport.gov.uk
**********************************************************************
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx | | | |
| JanisWolf-Pittel
Posts:0
| | 07/11/2007 12:03 PM |
| It's very annoying to get read receipt requested on this listserv.
Please have all users turn that off.
Thanks,
Janis
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
> Alexander Sukhovey
> Sent: Tuesday, July 10, 2007 2:22 PM
> To: ActiveDir@mail.activedir.org
> Cc: 'Alexander Sukhovey'
> Subject: RE: [ActiveDir] Find inactive COMPUTER accounts
>
> What I was using is whenChanged attribute. It is changed when
> any of attribute of account is changed so there's no need to
> check for pwdLastSet and LastLogonTimeStamp separately. If
> it's old, you're can be certain that nobody/nothing has
> updated any attributes of this account for long time.
>
>
> --
> Alexander Sukhovey
>
>
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
> Sent: Tuesday, July 10, 2007 5:13 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Find inactive COMPUTER accounts
>
> Computers are subclass of user meaning they have the same
> attributes available. The pwdLastSet is available for users
> and computers only computers aren't required to change their
> passwords. They just do it optionally. It can be disabled in
> various ways. You also have lastLogonTimeStamp that is
> available in DFL2 mode as mentioned. This is the replicated
> (until LH) form of last logon. OldCmp will use either method,
> by default it will use pwdLastSet but you can use the -llts
> to use lastLogonTimeStamp.
>
> All that being said, there is NO GUARANTEED way of finding
> inactive computers because there is no single attribute that
> can prove that fact.
> That is why I have tons of safeties and you aren't allowed to
> just delete computers right away, you have to at least
> disable them first.
>
> Items I know for a fact that can cause issues here
>
> O VPN software can cause passwords to not be changed and
> occasionally I hear how the last logon attributes are also
> not updated.
>
> O Cluster accounts do not update the fields.
>
> For items like that you need to mark them in some way that oldcmp (or
> anything) can identify them and skip them. I recommend
> setting up a new attribute or putting something in the
> description or what not and then using the -af switch to add
> to the filter to avoid those objects.
>
>
> --
> O'Reilly Active Directory Third Edition -
> http://www.joeware.net/win/ad3e.htm
>
>
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Zaid
> Umer Farooqui
> Sent: Tuesday, July 10, 2007 5:43 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Find inactive COMPUTER accounts
>
> Ooo so the last password change parameter is for the computer
> accounts themselves .. sorry :p I misunderstood them for user
> account passwords ..
> got it thanks :-)
>
>
> Regards,
> Zaid Umer Farooqui
> Network Engineer
> MIS Department
> =============================
> Dawlance Center (Head Office) ,
> 7/4, Civil Lines 9,
> Dr. Ziauddin Ahmed Road,
> Karachi.
> Office: 021-5652450 (Ext 2456)
> Cell: 0321-2108096
>
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Dave Wade
> Sent: Tuesday, July 10, 2007 2:42 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Find inactive COMPUTER accounts
>
> Computers have passwords too. They manage them themselves.
> They change them from time to time. When they are not used,
> they can't change them.
>
> > -----Original Message-----
> > From: ActiveDir-owner@mail.activedir.org
> > [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Zaid Umer
> > Farooqui
> > Sent: 10 July 2007 10:25
> > To: ActiveDir@mail.activedir.org
> > Subject: RE: [ActiveDir] Find inactive COMPUTER accounts
> >
> > We let users manage their own passwords.. it's a medium sized setup
> > 500 users at max..
> >
> > So ther can be users that haven't changed their passwords
> in the last
> > 6 months.. but this tool also uses last logon right ??? that might
> > help...any concerns while running this tool ??
> >
> >
> > Regards,
> > Zaid Umer Farooqui
> > Network Engineer
> > MIS Department
> > =============================
> > Dawlance Center (Head Office) ,
> > 7/4, Civil Lines 9,
> > Dr. Ziauddin Ahmed Road,
> > Karachi.
> > Office: 021-5652450 (Ext 2456)
> > Cell: 0321-2108096
> > -----Original Message-----
> > From: ActiveDir-owner@mail.activedir.org
> > [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Tomasz
> > Onyszko
> > Sent: Tuesday, July 10, 2007 2:11 PM
> > To: ActiveDir@mail.activedir.org
> > Subject: Re: [ActiveDir] Find inactive COMPUTER accounts
> >
> > Lee, Ricky wrote:
> > > You may also consider checking the passwordLastChange
> attribute for
> > > computer objects in AD.
> >
> > hmmm... passwordLastSet and this is what oldcmp.exe does actually
> >
> > --
> > Tomasz Onyszko
> > http://www.w2k.pl/ - (PL)
> > http://blogs.dirteam.com/blogs/tomek/ - (EN)
> > List info : http://www.activedir.org/List.aspx
> > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > List archive: http://www.activedir.org/ma/default.aspx
> >
> >
> >
> >
> > List info : http://www.activedir.org/List.aspx
> > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > List archive: http://www.activedir.org/ma/default.aspx
> >
> >
>
>
> **********************************************************************
> This email, and any files transmitted with it, is
> confidential and intended solely for the use of the
> individual or entity to whom they are addressed. As a public
> body, the Council may be required to disclose this email, or
> any response to it, under the Freedom of Information Act
> 2000, unless the information in it is covered by one of the
> exemptions in the Act.
>
> If you receive this email in error please notify Stockport
> e-Services via email.query@stockport.gov.uk and then
> permanently remove it from your system.
>
> Thank you.
>
> http://www.stockport.gov.uk
> **********************************************************************
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
>
>
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx | | | |
|
|