RE: Expire accounts from Active Directory after a period of inactivity
From: Geoff Craig (GCraig@quilogy.com)
Date: 03/21/03
- Previous message: Thomas Cameron: "RE: Anyone have hard evidence of problems with Windows Automatic Upda tes?"
- Maybe in reply to: Matt Grogan: "Expire accounts from Active Directory after a period of inactivity"
- Next in thread: Nero, Nick: "RE: Expire accounts from Active Directory after a period of inactivity"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 20 Mar 2003 21:36:56 -0600 From: "Geoff Craig" <GCraig@quilogy.com> To: "Matt Grogan" <mattgrogan@bnbbank.com>, <focus-ms@securityfocus.com>
Hey Matt,
I don't know of a third party app that can do this, but you could do it
programmatically with WMI/ADSI. Every domain controller has an
attribute called lastlogon. It is stored in a format that is not easily
readable with a utility like LDP, but using this script from MSDN
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/script5
6/html/wsconwshwmi.asp
You get a value that I believe turns out something like this...
YYYYMMDDHHMMSS
And then a . with some other numbers behind it. So, if you tweak this
script and set the UserAccountControl attribute you can disable users.
Please keep in mind that the lastlogon attribute is a NON-replicated
attribute. So if you have a bunch of domain controllers you will need
to check each one because they write this attribute independent of each
other. In other words the lastlogon attribute is the last time they
logged on and were authenticated by that domain controller.
Good Luck!
Geoff Craig
Quilogy
-----Original Message-----
From: Matt Grogan [mailto:mattgrogan@bnbbank.com]
Sent: Thursday, March 20, 2003 9:06 AM
To: focus-ms@securityfocus.com
Hi,
I'm just wondering if anyone knows of a way to have Active Directory
acounts
automatically disable if the account has not been logged onto for a
specified period of time (say 30 days).
Thank you.
----------------------------------------------------------------------
ALERT: How a Hacker Uses SQL Injection to Steal Your SQL Data!
It's as simple as placing additional SQL commands into a Web Form input
box giving hackers complete access to all your backend systems!
http://www.spidynamics.com/mktg/sqlinjection33
----------------------------------------------------------------------
ALERT: How a Hacker Uses SQL Injection to Steal Your SQL Data!
It's as simple as placing additional SQL commands into a Web Form input
box giving hackers complete access to all your backend systems!
http://www.spidynamics.com/mktg/sqlinjection33
- Previous message: Thomas Cameron: "RE: Anyone have hard evidence of problems with Windows Automatic Upda tes?"
- Maybe in reply to: Matt Grogan: "Expire accounts from Active Directory after a period of inactivity"
- Next in thread: Nero, Nick: "RE: Expire accounts from Active Directory after a period of inactivity"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
