| Author | Messages | |
aaactivedirorg
Posts:2
 | | 09/24/2008 2:42 PM |
| What tool can I use to quickly find out who/when an AD account password was
changed?
Any of Joe's tools can do this?
TIA
Alex
| | | |
| davewade
Posts:93
| | 09/24/2008 2:44 PM |
| The Account Lockout Status tool you can download from Microsoft will
show this.
Dave Wade
Business Services I.C.T.
0161 474 5456
________________________________
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Alex Alborzfard
Sent: 24 September 2008 15:12
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Finding out Who/When AD account password
What tool can I use to quickly find out who/when an AD account
password was changed?
Any of Joe's tools can do this?
TIA
Alex
**********************************************************************
This email, and any files transmitted with it, is confidential and
intended solely for the use of the individual or entity to whom they
are addressed. As a public body, the Council may be required to disclose this email, or any response to it, under the Freedom of Information Act 2000, unless the information in it is covered by one of the exemptions in the Act.
If you receive this email in error please notify Stockport ICT, Business Services via email.query@stockport.gov.uk and then permanently remove it from your system.
Thank you.
http://www.stockport.gov.uk
**********************************************************************
| | | |
| TG
Posts:255
| | 09/24/2008 2:46 PM |
| Return Receipt
Your RE: [ActiveDir] Finding out Who/When AD account password
document:
was Tony.Gordon@hewitt.com
received
by:
at: 09/24/2008 10:15:33 AM
The information contained in this e-mail and any accompanying documents may contain information that is confidential or otherwise protected from disclosure. If you are not the intended recipient of this message, or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message, including any attachments. Any dissemination, distribution or other use of the contents of this message by anyone other than the intended recipient is strictly prohibited. All messages sent to and from this e-mail address may be monitored as permitted by applicable law and regulations to ensure compliance with our internal policies and to protect our business. E-mails are not secure and cannot be guaranteed to be error free as they can be intercepted, amended, lost or destroyed, or contain viruses. You are deemed to have accepted these risks if you communicate with us by e-mail.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| MThommes
Posts:106
| | 09/24/2008 2:46 PM |
| Adfind from www.joeware.net <http://www.joeware.net/>
- password last set: adfind -default -tdcas -f samaccountname={user
login name} pwdlastset
- password never expires: adfind -default -bit -f
"&((objectcategory=person)(objectclass=user)(useraccountcontrol:AND:=655
36))" dn
- user can't change password: adfind -default -bit -f
"&((objectcategory=person)(objectclass=user)(useraccountcontrol:AND:=64)
)" dn
Mike Thommes
________________________________
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Alex Alborzfard
Sent: Wednesday, September 24, 2008 10:00 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Finding out Who/When AD account password
I'm assuming by timestamp you mean the one listed under Last Bad Pwd. I
checked the Event log and there are 5 events in the same exact time and
they all have Anonymous as the account logged in. In addition, the
password was changed again, few minutes later, and that also has
Anonymous as the account logged on.
On a related note, what tool can I use to find out "Password Never
Expires" & "User Cannot Change Password" values?
On Wed, Sep 24, 2008 at 10:41 AM, Dave Wade <dave.wade@stockport.gov.uk>
wrote:
I don't think machine name/IP is logged, but "who" will be recorded in
the security event log on the DC that changed the password. If you have
a lot of DCs this may take some time to find...
... although you do have the time stamp from the status program...
Dave Wade
Business Services I.C.T.
0161 474 5456
________________________________
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Alex Alborzfard
Sent: 24 September 2008 15:34
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Finding out Who/When AD account
password
It tells me when, but not who (user/machine name/IP address).
On Wed, Sep 24, 2008 at 10:20 AM, Dave Wade
<dave.wade@stockport.gov.uk> wrote:
The Account Lockout Status tool you can download from Microsoft
will show this.
Dave Wade
Business Services I.C.T.
0161 474 5456
________________________________
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Alex Alborzfard
Sent: 24 September 2008 15:12
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Finding out Who/When AD account
password
What tool can I use to quickly find out who/when an AD
account password was changed?
Any of Joe's tools can do this?
TIA
Alex
**********************************************************************
This email, and any files transmitted with it, is confidential
and
intended solely for the use of the individual or entity to whom
they
are addressed. As a public body, the Council may be required to
disclose this email, or any response to it, under the Freedom of
Information Act 2000, unless the information in it is covered by one of
the exemptions in the Act.
If you receive this email in error please notify Stockport ICT,
Business Services via email.query@stockport.gov.uk and then permanently
remove it from your system.
Thank you.
http://www.stockport.gov.uk
**********************************************************************
| | | |
| kbatkbslpcom
Posts:148
| | 09/24/2008 2:46 PM |
| So you have the WHEN and the WHERE. Now you need to look in the
security log of that domain controller (WHERE), around the time it
occurred (WHEN) and (assuming logging is enabled on your domain
controllers) you can look for the event which should have the
information on the WHO.
I think (but I maybe wrong) that event 642 is the 'reset' password event
(account management events).
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Alex Alborzfard
Sent: Wednesday, September 24, 2008 12:15 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Finding out Who/When AD account
password
I have that information, but it doesn't help much.
On Wed, Sep 24, 2008 at 11:15 AM, Tony Gordon <
Tony.Gordon@hewitt.com> wrote:
repadmin /showobjmeta will show the originating Domain
Controller, I believe, which will make it a bit easier.
Thank you, Tony.
Tony Gordon
Windows 2003 & 2000 MCSE, Windows 2003 MCSA, PMP
ITS Infrastructure Engineering
Hewitt Associates | 100 Half Day Road |
Lincolnshire, IL 60069 | USA
Tel 847.295.5000 x50526 | Fax 847.554.1574
tony dot gordon at hewitt dot com | www.hewitt.com
<http://www.hewitt.com>
From: "Dave Wade" <dave.wade@stockport.gov.uk>
To: ActiveDir@mail.activedir.org
Date: 09/24/2008 09:44 AM
Subject: RE: [ActiveDir] Finding out Who/When AD account password
________________________________
I don't think machine name/IP is logged, but "who" will
be recorded in the security event log on the DC that changed the
password. If you have a lot of DCs this may take some time to find...
... although you do have the time stamp from the status
program...
Dave Wade
Business Services I.C.T.
0161 474 5456
________________________________
From: ActiveDir-owner@mail.activedir.org [
mailto:ActiveDir-owner@mail.activedir.org
<mailto:ActiveDir-owner@mail.activedir.org> ] On Behalf Of Alex
Alborzfard
Sent: 24 September 2008 15:34
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Finding out Who/When AD account
password
It tells me when, but not who (user/machine name/IP
address).
On Wed, Sep 24, 2008 at 10:20 AM, Dave Wade <
dave.wade@stockport.gov.uk <mailto:dave.wade@stockport.gov.uk> > wrote:
The Account Lockout Status tool you can download from
Microsoft will show this.
Dave Wade
Business Services I.C.T.
0161 474 5456
________________________________
From: ActiveDir-owner@mail.activedir.org
<mailto:ActiveDir-owner@mail.activedir.org> [mailto:
ActiveDir-owner@mail.activedir.org
<mailto:ActiveDir-owner@mail.activedir.org> ] On Behalf Of Alex
Alborzfard
Sent: 24 September 2008 15:12
To: ActiveDir@mail.activedir.org
<mailto:ActiveDir@mail.activedir.org>
Subject: [ActiveDir] Finding out Who/When AD account
password
What tool can I use to quickly find out who/when an AD
account password was changed?
Any of Joe's tools can do this?
TIA
Alex
**********************************************************************
This email, and any files transmitted with it, is
confidential and
intended solely for the use of the individual or entity
to whom they
are addressed. As a public body, the Council may be
required to disclose this email, or any response to it, under the
Freedom of Information Act 2000, unless the information in it is covered
by one of the exemptions in the Act.
If you receive this email in error please notify
Stockport ICT, Business Services via email.query@stockport.gov.uk
<mailto:email.query@stockport.gov.uk> and then permanently remove it
from your system.
Thank you.
http://www.stockport.gov.uk
<http://www.stockport.gov.uk/>
**********************************************************************
________________________________
The information contained in this e-mail and any
accompanying documents may contain information that is confidential or
otherwise protected from disclosure. If you are not the intended
recipient of this message, or if this message has been addressed to you
in error, please immediately alert the sender by reply e-mail and then
delete this message, including any attachments. Any dissemination,
distribution or other use of the contents of this message by anyone
other than the intended recipient is strictly prohibited. All messages
sent to and from this e-mail address may be monitored as permitted by
applicable law and regulations to ensure compliance with our internal
policies and to protect our business. E-mails are not secure and cannot
be guaranteed to be error free as they can be intercepted, amended, lost
or destroyed, or contain viruses. You are deemed to have accepted these
risks if you communicate with us by e-mail.
| | | |
| aaactivedirorg
Posts:2
| | 09/24/2008 3:43 PM |
| Running the first one gives me this error:
ERROR: Bad Command Line Arg(s)
ERROR: tdcas
On Wed, Sep 24, 2008 at 12:20 PM, Thommes, Michael M. <MThommes@anl.gov>wrote:
> Adfind from www.joeware.net
>
>
>
> - password last set: adfind –default -tdcas –f samaccountname={user login
> name} pwdlastset
>
>
>
> - password never expires: adfind -default -bit -f
> "&((objectcategory=person)(objectclass=user)(useraccountcontrol:AND:=65536))"
> dn
>
>
>
> - user can't change password: adfind -default -bit -f
> "&((objectcategory=person)(objectclass=user)(useraccountcontrol:AND:=64))"
> dn
>
>
>
> Mike Thommes
>
>
> ------------------------------
>
> *From:* ActiveDir-owner@mail.activedir.org [mailto:
> ActiveDir-owner@mail.activedir.org] *On Behalf Of *Alex Alborzfard
> *Sent:* Wednesday, September 24, 2008 10:00 AM
>
> *To:* ActiveDir@mail.activedir.org
> *Subject:* Re: [ActiveDir] Finding out Who/When AD account password
>
>
>
> I'm assuming by timestamp you mean the one listed under Last Bad Pwd. I
> checked the Event log and there are 5 events in the same exact time and they
> all have Anonymous as the account logged in. In addition, the password was
> changed again, few minutes later, and that also has Anonymous as the account
> logged on.
>
> On a related note, what tool can I use to find out "Password Never Expires"
> & "User Cannot Change Password" values?
>
> On Wed, Sep 24, 2008 at 10:41 AM, Dave Wade <dave.wade@stockport.gov.uk>
> wrote:
>
> I don't think machine name/IP is logged, but "who" will be recorded in the
> security event log on the DC that changed the password. If you have a lot of
> DCs this may take some time to find...
>
>
>
> ... although you do have the time stamp from the status program...
>
>
>
> *Dave Wade*
>
> *Business Services I.C.T.*
>
> *0161 474 5456*
>
>
>
>
>
> ------------------------------
>
> *From:* ActiveDir-owner@mail.activedir.org [mailto:
> ActiveDir-owner@mail.activedir.org] *On Behalf Of *Alex Alborzfard
>
> *Sent:* 24 September 2008 15:34
>
>
> *To:* ActiveDir@mail.activedir.org
>
> *Subject:* Re: [ActiveDir] Finding out Who/When AD account password
>
> It tells me when, but not who (user/machine name/IP address).
>
> On Wed, Sep 24, 2008 at 10:20 AM, Dave Wade <dave.wade@stockport.gov.uk>
> wrote:
>
> The Account Lockout Status tool you can download from Microsoft will show
> this.
>
>
>
> *Dave Wade*
>
> *Business Services I.C.T.*
>
> *0161 474 5456*
>
>
>
>
> ------------------------------
>
> *From:* ActiveDir-owner@mail.activedir.org [mailto:
> ActiveDir-owner@mail.activedir.org] *On Behalf Of *Alex Alborzfard
>
> *Sent:* 24 September 2008 15:12
>
>
> *To:* ActiveDir@mail.activedir.org
> *Subject:* [ActiveDir] Finding out Who/When AD account password
>
>
>
> What tool can I use to quickly find out who/when an AD account password was
> changed?
> Any of Joe's tools can do this?
>
> TIA
>
> Alex
>
>
>
> **********************************************************************
> This email, and any files transmitted with it, is confidential and
> intended solely for the use of the individual or entity to whom they
> are addressed. As a public body, the Council may be required to disclose
> this email, or any response to it, under the Freedom of Information Act
> 2000, unless the information in it is covered by one of the exemptions in
> the Act.
>
> If you receive this email in error please notify Stockport ICT, Business
> Services via email.query@stockport.gov.uk and then permanently remove it
> from your system.
>
> Thank you.
>
> http://www.stockport.gov.uk
> **********************************************************************
>
>
>
>
>
| | | |
| listmail
Posts:763
| | 09/24/2008 4:24 PM |
| You have an older version of adfind most likely. For this specific case you
could use -tdcs. The -tdacs also decodes generalized time strings to
friendlier format.
The others have mentioned that you can tell when an password was changed and
possiblyΏ] the DC on which is was changed (from the metadata). Getting the
who can only be retrieved from the audit logs if you have enough auditing
enabled.
Also if you want to look at a specific user and see what user account
control flags are set, ask for the userAccountControl attribute and add the
-samdc switch which will then decode them for you.
joe
Ώ] Only possibly because password changes are special in that they are sent
out of band to the PDC as well, and since that update will likely be after
the real originating update, it will probably overwrite the metadata on all
the DCs to show the PDC.
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Alex Alborzfard
Sent: Wednesday, September 24, 2008 3:41 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Finding out Who/When AD account password
Running the first one gives me this error:
ERROR: Bad Command Line Arg(s)
ERROR: tdcas
On Wed, Sep 24, 2008 at 12:20 PM, Thommes, Michael M. <MThommes@anl.gov>
wrote:
Adfind from www.joeware.net <http://www.joeware.net/>
- password last set: adfind -default -tdcas -f samaccountname={user login
name} pwdlastset
- password never expires: adfind -default -bit -f
"&((objectcategory=person)(objectclass=user)(useraccountcontrol:AND:=65536))
" dn
- user can't change password: adfind -default -bit -f
"&((objectcategory=person)(objectclass=user)(useraccountcontrol:AND:=64))"
dn
Mike Thommes
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Alex Alborzfard
Sent: Wednesday, September 24, 2008 10:00 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Finding out Who/When AD account password
I'm assuming by timestamp you mean the one listed under Last Bad Pwd. I
checked the Event log and there are 5 events in the same exact time and they
all have Anonymous as the account logged in. In addition, the password was
changed again, few minutes later, and that also has Anonymous as the account
logged on.
On a related note, what tool can I use to find out "Password Never Expires"
& "User Cannot Change Password" values?
On Wed, Sep 24, 2008 at 10:41 AM, Dave Wade <dave.wade@stockport.gov.uk>
wrote:
I don't think machine name/IP is logged, but "who" will be recorded in the
security event log on the DC that changed the password. If you have a lot of
DCs this may take some time to find...
... although you do have the time stamp from the status program...
Dave Wade
Business Services I.C.T.
0161 474 5456
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Alex Alborzfard
Sent: 24 September 2008 15:34
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Finding out Who/When AD account password
It tells me when, but not who (user/machine name/IP address).
On Wed, Sep 24, 2008 at 10:20 AM, Dave Wade <dave.wade@stockport.gov.uk>
wrote:
The Account Lockout Status tool you can download from Microsoft will show
this.
Dave Wade
Business Services I.C.T.
0161 474 5456
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Alex Alborzfard
Sent: 24 September 2008 15:12
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Finding out Who/When AD account password
What tool can I use to quickly find out who/when an AD account password was
changed?
Any of Joe's tools can do this?
TIA
Alex
**********************************************************************
This email, and any files transmitted with it, is confidential and
intended solely for the use of the individual or entity to whom they
are addressed. As a public body, the Council may be required to disclose
this email, or any response to it, under the Freedom of Information Act
2000, unless the information in it is covered by one of the exemptions in
the Act.
If you receive this email in error please notify Stockport ICT, Business
Services via email.query@stockport.gov.uk and then permanently remove it
from your system.
Thank you.
http://www.stockport.gov.uk
**********************************************************************
| | | |
| kbatkbslpcom
Posts:148
| | 09/24/2008 4:36 PM |
| The point below that Joe made is a good one (the Ώ]) - The replication
to the PDC and then outward slipped my mind ("senior moment" 
The original post I started was going to suggest getting eventcomb
(download from Microsoft) so you can easily scan all the security logs
of all the DC's for the specific event - and you can even put in the
user ID of the account being changed. (the file may be called
eventcomtmt - one of those should give the correct download from
Microsoft).
You have an older version of adfind most likely. For this specific case
you could use -tdcs. The -tdacs also decodes generalized time strings to
friendlier format.
The others have mentioned that you can tell when an password was changed
and possiblyΏ] the DC on which is was changed (from the metadata).
Getting the who can only be retrieved from the audit logs if you have
enough auditing enabled.
Also if you want to look at a specific user and see what user account
control flags are set, ask for the userAccountControl attribute and add
the -samdc switch which will then decode them for you.
joe
Ώ] Only possibly because password changes are special in that they are
sent out of band to the PDC as well, and since that update will likely
be after the real originating update, it will probably overwrite the
metadata on all the DCs to show the PDC.
| | | |
| kamleshap
Posts:51
| | 10/07/2008 4:21 PM |
| here is an excellent article on finding the real DC on which password was
changed.http://blogs.dirteam.com/blogs/jorge/archive/2005/11/24/161.aspx
--Kamlesh
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Argue for your limitations, and sure enough, they're yours.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
On Wed, Sep 24, 2008 at 4:33 PM, Brown, Ken F. <Ken.Brown@kbslp.com> wrote:
> The point below that Joe made is a good one (the Ώ]) - The replication
> to the PDC and then outward slipped my mind ("senior moment"
>
>
> The original post I started was going to suggest getting eventcomb
> (download from Microsoft) so you can easily scan all the security logs of
> all the DC's for the specific event - and you can even put in the user ID of
> the account being changed. (the file may be called eventcomtmt - one of
> those should give the correct download from Microsoft).
>
>
>
>
>
>
> You have an older version of adfind most likely. For this specific case
> you could use -tdcs. The -tdacs also decodes generalized time strings to
> friendlier format.
>
> The others have mentioned that you can tell when an password was changed
> and possiblyΏ] the DC on which is was changed (from the metadata). Getting
> the who can only be retrieved from the audit logs if you have enough
> auditing enabled.
>
> Also if you want to look at a specific user and see what user account
> control flags are set, ask for the userAccountControl attribute and add the
> -samdc switch which will then decode them for you.
>
> joe
>
>
> Ώ] Only possibly because password changes are special in that they are
> sent out of band to the PDC as well, and since that update will likely be
> after the real originating update, it will probably overwrite the metadata
> on all the DCs to show the PDC.
>
>
>
>
>
| | | |
|
|