RE: Expire accounts from Active Directory after a period of inactivity

From: Laura A. Robinson (larobins@bellatlantic.net)
Date: 03/25/03

  • Next message: Dozal, Tim: "RE: MS03-007 Round-up"
    From: "Laura A. Robinson" <larobins@bellatlantic.net>
    To: "'Nero, Nick'" <Nick.Nero@disney.com>, "'Clark, Andre M.'" <Andre.Clark@aoltw.com>, "'Matt Grogan'" <mattgrogan@bnbbank.com>, <focus-ms@securityfocus.com>
    Date: Mon, 24 Mar 2003 18:23:59 -0500
    
    

    One thing to be conscious of- in Windows 2000, last logon time/date is not
    replicated through AD. It is stored locally on the authenticating DC.
    Therefore, you could not simply query AD for this information- you would
    have to query each DC. In Windows Server 2003, once you've raised your
    domains and forest functional levels to Windows Server 2003 (no downlevel
    DCs), the ability to retrieve logon time/date from AD exists and the
    information replicates. In fact, there is a pre-definied query in ADU&C in
    Windows Server 2003 for just this purpose.

    Laura

    > -----Original Message-----
    > From: Nero, Nick [mailto:Nick.Nero@disney.com]
    > Sent: Friday, March 21, 2003 4:23 PM
    > To: Clark, Andre M.; Matt Grogan; focus-ms@securityfocus.com
    > Subject: RE: Expire accounts from Active Directory after a
    > period of inactivity
    >
    >
    > The VBScript for that would be painfully easy. Query AD in
    > the OU with your user groups for all accounts that have been
    > inactive for 30 or more days, then you can simply disable
    > them with a similar ADSI method.
    >
    > It does seem better though to store the output to a SQL
    > database. If you have a large AD tree (we have 70,000 user
    > accounts!) querying it can really be torturous to your DC's.
    > Query it once a month or once a week on sat. night and then
    > query the database more frequently.
    >
    > -----Original Message-----
    > From: Clark, Andre M. [mailto:Andre.Clark@aoltw.com]
    > Sent: Thursday, March 20, 2003 6:40 PM
    > To: Matt Grogan; focus-ms@securityfocus.com
    >
    > Matt,
    >
    > I haven't seen anything native in AD to do this but there are
    > great AD delegation/enhancement tools that can do it (i.e.
    > NetIQ's Directory and Resource Administrator). Your other
    > option, and this would depend on your scripting expertise,
    > would be to write either a VBS or Perl script that could
    > accomplish this task.
    >
    > -----Original Message-----
    > From: Matt Grogan [mailto:mattgrogan@bnbbank.com]
    > Sent: Thursday, March 20, 2003 10:06
    > To: focus-ms@securityfocus.com
    > Subject: Expire accounts from Active Directory after a period
    > of inactivity
    >
    >
    > Hi,
    >
    > I'm just wondering if anyone knows of a way to have Active
    > Directory acounts automatically disable if the account has
    > not been logged onto for a specified period of time (say 30 days).
    >
    > Thank you.
    >
    >
    > ----------------------------------------------------------------------
    > ALERT: How a Hacker Uses SQL Injection to Steal Your SQL
    > Data! It's as simple as placing additional SQL commands into
    > a Web Form input
    > box giving hackers complete access to all your backend systems!
    > http://www.spidynamics.com/mktg/sqlinjection33
    >
    >
    >
    > ==============================================================
    > ==========
    > ======
    > This message is the property of AOL Time Warner Inc. and is
    > intended only for the use of the addressee(s) and may be
    > legally privileged and/or confidential. If the reader of this
    > message is not the intended recipient, or the employee or
    > agent responsible to deliver it to the intended recipient, he
    > or she is hereby notified that any dissemination,
    > distribution, printing, forwarding, or any method of copying
    > of this information, and/or the taking of any action in
    > reliance on the information herein is strictly prohibited
    > except by the original recipient or those to whom he or she
    > intentionally distributes this message. If you have received
    > this communication in error, please immediately notify the
    > sender, and delete the original message and any copies from
    > your computer or storage system. Thank you
    >
    > ==============================================================
    > ==========
    > ======
    >
    >
    > ----------------------------------------------------------------------
    > ALERT: How a Hacker Uses SQL Injection to Steal Your SQL
    > Data! It's as simple as placing additional SQL commands into
    > a Web Form input
    > box giving hackers complete access to all your backend systems!
    > http://www.spidynamics.com/mktg/sqlinjection33
    >
    >
    >
    >
    > ----------------------------------------------------------------------
    > ALERT: How a Hacker Uses SQL Injection to Steal Your SQL
    > Data! It's as simple as placing additional SQL commands into
    > a Web Form input
    > box giving hackers complete access to all your backend systems!
    > http://www.spidynamics.com/mktg/sqlinjection33
    >

    ----------------------------------------------------------------------
    Get serious about enterprise anti-spam management.
    SurfControl E-mail Filter for SMTP & Exchange
    leverages multiple layers of technology to defeat
    spam with accuracy. Download a free 30-day trial:
    http://www.surfcontrol.com/go/zsfmsl1


  • Next message: Dozal, Tim: "RE: MS03-007 Round-up"

    Relevant Pages

    • RE: Anyone have hard evidence of problems with Windows Automatic Updates?
      ... I think you only have to look back at the debacle that was Windows NT4 ... Microsoft released it over a year late, it was a Seriously Bad Thing ... How a Hacker Uses SQL Injection to Steal Your SQL Data! ... box giving hackers complete access to all your backend systems! ...
      (Focus-Microsoft)
    • RE: Expire accounts from Active Directory after a period of inactivity
      ... your user groups for all accounts that have been inactive for 30 or more ... It does seem better though to store the output to a SQL database. ... Query it once a month or once a week ... box giving hackers complete access to all your backend systems! ...
      (Focus-Microsoft)
    • Undeclared tag ID % is used in a FOR XML Explicit Query
      ... In fact we have multiple SQL environment running the same config and Query, ... A week, ago, we migrated onto a new Cluster, running Windows 2003, and SQL ... If it is a SQL bug, how come it appears to only manifest on a Windows 2003 ...
      (microsoft.public.sqlserver.programming)
    • Re: Compile error on common function, NOT REFERENCE PROBLEM
      ... I just tied the Mid in a query to make sure and it worked. ... operating system, if it is Windows 2000 or Windows XP, you can get the ... Will you paste the SQL of your query into a message? ... > End Sub ...
      (microsoft.public.access.modulesdaovba)
    • Re: Operation must use an updateable query
      ... Some of the data exists in Access and some of the data is stored in SQL ... tables and updates the server data. ... In response to your first query, no the SQL server table does not currently ... I am logged into Windows as a user with administrator rights. ...
      (microsoft.public.access.queries)