RE: How to generate a report of inactive domain user accounts

• Previous message: Robert J Emmons: "RE: How to generate a report of inactive domain user accounts"
• Maybe in reply to: Brian E: "How to generate a report of inactive domain user accounts"
• Next in thread: Benjamin D. Goldman: "RE: How to generate a report of inactive domain user accounts"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 11 Apr 2003 17:00:27 -0400
From: "Amarante, Rodrigo P." <RPAmarante@directvla.com>
To: "Brian E" <brian_anon@hotmail.com>, <focus-ms@securityfocus.com>

Brian,

Each time a Domain Controller authenticates a user, it records that time
(in a funky format) in the lastLogon attribute of that user's object in
active directory. The problem is that each domain controller has it's
own values for that attribute. So, if joe user got authenticated by
Domain Controller A in 04/09/2003 at 10:10AM and next day he gets
authenticated by Domain Controller B at 09:00AM. The user's real last
logon was 04/10/2003 at 09:00AM, but if you only query Domain Controller
A it will show up as being 04/09/2003 at 10:10AM.
So in order for you to get an accurate last logon, you must query all
Domain Controllers for the domain and then compare the values of the
lastLogon attribute. The value is stored as an INTERGER8, so in order
for you to get the the high part and the low part to get it to work...

I wrote a tool using the .NET framework that gives you the "real"
lastlogon attribute of a given user or of all users in the domain. The
only "complicated" thing is to convert the value to an actual human
readable time format...
-----Original Message-----
From: Brian E [mailto:brian_anon@hotmail.com]
Sent: Friday, April 11, 2003 7:56 AM
To: focus-ms@securityfocus.com

Can anyone provide some suggestions or list of tools available to
generate

a report of inactive domain user accounts within an OU?

We're using Active Directory with Windows 2000 and have OU's defined for

different groups of users. I'd like to generate the report by OU.

We also have multiple domain controllers (I've had issues with "last
true

logon" in the past). I would like a list of user who have not logged in

within X days (preferably 90 days, but I'd like to modify this
threshold).

Criteria for an inactive account:

-Not logged on for X days (X will be provided at time of generating the

report)

-Not disabled

-Password is set to expire

Regard,

Brian

brian_anon@hotmail.com

----------------------------------------------------------------------
Block Spam, Smut & Viruses
SurfControl E-mail Filter for SMTP & Exchange leverages multiple layers
of
technology including filtering embedded and attached file content. Rid
your
enterprise of unwanted content.
http://www.securityfocus.com/SurfControl-focus-ms2
Download your free fully functional trial, complete with 30-days of free
technical support.
----------------------------------------------------------------------

----------------------------------------------------------------------
Block Spam, Smut & Viruses
SurfControl E-mail Filter for SMTP & Exchange leverages multiple layers of
technology including filtering embedded and attached file content. Rid your
enterprise of unwanted content.
http://www.securityfocus.com/SurfControl-focus-ms2
Download your free fully functional trial, complete with 30-days of free
technical support.
----------------------------------------------------------------------

• Previous message: Robert J Emmons: "RE: How to generate a report of inactive domain user accounts"
• Maybe in reply to: Brian E: "How to generate a report of inactive domain user accounts"
• Next in thread: Benjamin D. Goldman: "RE: How to generate a report of inactive domain user accounts"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]