I'm curious, how would you show activitity other than the last time the user authenticated? Since disabling the account would only affect the ability to authenticate (not including any external logic or process built on account status), I'm curious what other ways you would show account inactivity if not by lastlogon or lastlogontimestamp?
Thanks,
Jef
> Subject: RE: [ActiveDir] automatic account disable
> Date: Wed, 19 Apr 2006 14:25:24 -0700
> From: [EMAIL PROTECTED]
> To: ActiveDir@mail.activedir.org
>
> Still, there is nothing "automatic" natively in the OS to let him do this.
> Policy or no policy, he is looking at external intervention - third-party or
> a roll-your-own. Rolling his own may be burdensome because now he has to
> account for the number of ways an account can be active without necessarily
> logging in. Looking at Lastlogon or lastlogontimestamp is insufficient.
>
>
> Sincerely,
> _____
> (, / | /) /) /)
> /---| (/_ ______ ___// _ // _
> ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
> (_/ /)
> (/
> Microsoft MVP - Directory Services
> www.readymaids.com <http://www.readymaids.com> - we know IT
> www.akomolafe.com <http://www.akomolafe.com>
> Do you now realize that Today is the Tomorrow you were worried about
> Yesterday? -anon
>
>
> ________________________________
>
> From: [EMAIL PROTECTED] on behalf of Al Mulnick
> Sent: Wed 4/19/2006 1:13 PM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] automatic account disable
>
>
> LOL. You're right, it is often advisable to disable first. I got caught up
> in the moment ;)
>
> Myke, there was a long conversation about such things a few months ago. You
> might want to search the archives to see what was said and see if you agree
> about what it says and suggests.
>
> An additional point to consider: start with policy as Neil suggests. If you
> have a policy that says to disable accounts and then delete later, or delete
> based on disuse, enforcement is pretty much an easy thing to do. Without the
> policy first, it can be a difficult train to ride.
>
>
>
> -ajm
>
>
> On 4/19/06, [EMAIL PROTECTED] <[EMAIL PROTECTED] > wrote:
>
> Would you not disable the account instead of locking it?
>
> A locked account may be unlocked in time (depends upon policy),
> whereas a disabled account needs admin intervention.
>
> my 2 penneth,
> neil
>
> ________________________________
>
> From: [EMAIL PROTECTED] [mailto:
> [EMAIL PROTECTED]
> <mailto:[EMAIL PROTECTED]> ] On Behalf Of Al Mulnick
> Sent: 19 April 2006 15:52
>
> To: ActiveDir@mail.activedir.org
>
> Subject: Re: [ActiveDir] automatic account disable
>
>
>
> It's possible. What's your criteria?
>
> DSQUERY, DSMOD are two tools that are touted as being able to do this
> pretty easily. Joeware tools are better ( http://www.joeware.net
> <http://www.joeware.net/> ) for this task IMHO. Scripts, etc can also be
> used successfully.
>
> Al
>
>
> On 4/19/06, Myke < [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> >
> wrote:
>
>
> hi guys,
>
> it's possible to make a automatic lockout in user accounts by
> inactivity, or I need a third party tool?
>
> thanks
>
> Myke
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
>
>
>
> PLEASE READ: The information contained in this email is confidential
> and
> intended for the named recipient(s) only. If you are not an intended
> recipient of this email please notify the sender immediately and
> delete your
> copy from your system. You must not copy, distribute or take any
> further
> action in reliance on it. Email is not a secure method of
> communication and
> Nomura International plc ('NIplc') will not, to the extent permitted
> by law,
> accept responsibility or liability for (a) the accuracy or
> completeness of,
> or (b) the presence of any virus, worm or similar malicious or
> disabling
> code in, this message or any attachment(s) to it. If verification of
> this
> email is sought then please request a hard copy. Unless otherwise
> stated
> this email: (1) is not, and should not be treated or relied upon as,
> investment research; (2) contains views or opinions that are solely
> those of
> the author and do not necessarily represent those of NIplc; (3) is
> intended
> for informational purposes only and is not a recommendation,
> solicitation or
> offer to buy or sell securities or related financial instruments.
> NIplc
> does not provide investment services to private customers. Authorised
> and
> regulated by the Financial Services Authority. Registered in England
> no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St
> Martin's-le-Grand,
> London, EC1A 4NP. A member of the Nomura group of companies.
>
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
