RE: How to generate a report of inactive domain user accounts

From: Chapman, Justin T (JtChapma@bhi-erc.com)
Date: 04/12/03

Next message: Tiago Halm: "RE: How to generate a report of inactive domain user accounts"

Previous message: Tony Gordon: "Re: How to generate a report of inactive domain user accounts"
Maybe in reply to: Brian E: "How to generate a report of inactive domain user accounts"
Next in thread: Amarante, Rodrigo P.: "RE: How to generate a report of inactive domain user accounts"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "Chapman, Justin T" <JtChapma@bhi-erc.com>
To: focus-ms@securityfocus.com
Date: Fri, 11 Apr 2003 15:36:14 -0700

If you're inclined to perl at all, you may want to check out some of the
Win32 perl modules which are available also. Writing your own script to do
this sort of thing can save a considerable amount of money over many
commercial products. For more information, look at
http://www.activestate.com for perl installs for Win32 and
http://www.roth.net which has *the* definitive books on Win32 perl
programming (it also happens to be on the *very* cool
http://safari.oreilly.com site). The Roth site also has some powerful perl
modules for administering Windows networks.

I wrote two scripts a while back to do this very thing. You do have to walk
through each domain controller and compare the timestamps, but that is
pretty trivial to script. The neat thing about the perl tools is that you
get a hash of user information passed back when you make the queries, which
contains almost every imaginable setting on the users account. They are
then very easy to reference and work with. Perl also includes an easy
function to turn the epoch date format in to local time format... :) If
anyone is interested, feel free to contact me offline.

Also, check out Microsofts script center page at:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/scriptcen
ter

It contains hundreds of scripting examples.

--justin
God is REAL! Unless explicitly declared INTEGER.

-----Original Message-----
From: Benjamin D. Goldman [mailto:bgoldman@kipany.com]
Sent: Friday, April 11, 2003 2:14 PM
To: Amarante, Rodrigo P.; Brian E; focus-ms@securityfocus.com
Subject: RE: How to generate a report of inactive domain user accounts

as an aside - that int8 format that the time is stored in happens to be
the same format that SQL server store a standard datetime field (this is
different from the smalldatetime which is a 4byte integer)

if you want to dump the logs into sql server, you might be able to
forgoe this 'problem' but alas, I have never tried this.

-----Original Message-----
From: Amarante, Rodrigo P. [mailto:RPAmarante@directvla.com]
Sent: Friday, April 11, 2003 5:00 PM
To: Brian E; focus-ms@securityfocus.com
Subject: RE: How to generate a report of inactive domain user accounts

Brian,

Each time a Domain Controller authenticates a user, it records that time
(in a funky format) in the lastLogon attribute of that user's object in
active directory. The problem is that each domain controller has it's
own values for that attribute. So, if joe user got authenticated by
Domain Controller A in 04/09/2003 at 10:10AM and next day he gets
authenticated by Domain Controller B at 09:00AM. The user's real last
logon was 04/10/2003 at 09:00AM, but if you only query Domain Controller
A it will show up as being 04/09/2003 at 10:10AM.
So in order for you to get an accurate last logon, you must query all
Domain Controllers for the domain and then compare the values of the
lastLogon attribute. The value is stored as an INTERGER8, so in order
for you to get the the high part and the low part to get it to work...

I wrote a tool using the .NET framework that gives you the "real"
lastlogon attribute of a given user or of all users in the domain. The
only "complicated" thing is to convert the value to an actual human
readable time format...
-----Original Message-----
From: Brian E [mailto:brian_anon@hotmail.com]
Sent: Friday, April 11, 2003 7:56 AM
To: focus-ms@securityfocus.com

Can anyone provide some suggestions or list of tools available to
generate

a report of inactive domain user accounts within an OU?

We're using Active Directory with Windows 2000 and have OU's defined for

different groups of users. I'd like to generate the report by OU.

We also have multiple domain controllers (I've had issues with "last
true

logon" in the past). I would like a list of user who have not logged in

within X days (preferably 90 days, but I'd like to modify this
threshold).

Criteria for an inactive account:

-Not logged on for X days (X will be provided at time of generating the

report)

-Not disabled

-Password is set to expire

Regard,

Brian

brian_anon@hotmail.com

----------------------------------------------------------------------
Block Spam, Smut & Viruses
SurfControl E-mail Filter for SMTP & Exchange leverages multiple layers
of
technology including filtering embedded and attached file content. Rid
your
enterprise of unwanted content.
http://www.securityfocus.com/SurfControl-focus-ms2
Download your free fully functional trial, complete with 30-days of free
technical support.
----------------------------------------------------------------------

----------------------------------------------------------------------
Block Spam, Smut & Viruses
SurfControl E-mail Filter for SMTP & Exchange leverages multiple layers of
technology including filtering embedded and attached file content. Rid your
enterprise of unwanted content.
http://www.securityfocus.com/SurfControl-focus-ms2
Download your free fully functional trial, complete with 30-days of free
technical support.
----------------------------------------------------------------------

Next message: Tiago Halm: "RE: How to generate a report of inactive domain user accounts"

Previous message: Tony Gordon: "Re: How to generate a report of inactive domain user accounts"
Maybe in reply to: Brian E: "How to generate a report of inactive domain user accounts"
Next in thread: Amarante, Rodrigo P.: "RE: How to generate a report of inactive domain user accounts"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Users last logon info from logon script
... >> This script shows the local computer time when the users log on. ... > ' Because the lastLogon attribute is not replicated, ... Then, for each Domain Controller, ADO is used to search the ... > Dim objRootDSE, strConfig, objConnection, objCommand, strQuery ...
(microsoft.public.security)
Re: Display All Locked Accounts in an OU
... > I have this script below I used from its source ... > particular OU and its sub-ou's for locked out accounts. ... you need only look at one domain controller. ... > Dim objRootDSE, strConfig, objConnection, objCommand, strQuery ...
(microsoft.public.windows.server.scripting)
List users not logged onto domain for over X number of days
... I found a great script by ... ' Because the lastLogon attribute is not replicated, ... Then, for each Domain Controller, ADO is used to search the ... Dim strDNSDomain, objShell, lngBiasKey, lngBias, k, arrstrDCs ...
(microsoft.public.windows.server.scripting)
Can someone help modify this VBScript
... how to modify this script to fit my needs. ... ' Because the lastLogon attribute is not replicated, ... Then, for each Domain Controller, ADO is used to search the ... Dim strDNSDomain, objShell, lngBiasKey, lngBias, k, arrstrDCs ...
(microsoft.public.scripting.vbscript)
Re: garbage computer accounts
... that is why I use this great script. ... ' Controller in the domain must be queried to find the latest LastLogon ... Then, for each Domain Controller, ADO is used to search the ... Dim strDNSDomain, objShell, lngBiasKey, lngBias, k, arrstrDCs ...
(microsoft.public.scripting.wsh)