Ahhh...I thought you were aluding to some magical attribute in the 3rd dimension I did not know about in the Directory. :)
Yes, I agree, Process and policy needs to govern activity not just what the directory reports. :)
Thanks,
Jef
> Subject: RE: [ActiveDir] automatic account disable
> Date: Wed, 19 Apr 2006 14:56:20 -0700
> From: [EMAIL PROTECTED]
> To: ActiveDir@mail.activedir.org
>
> None. This is where the policy/process element come in. You know which of
> your accounts are "Service accounts" and which of your users are on vacation.
> You do a periodic query of your lastlogon/timestamp, you filter out your
> "services accounts" and your vacationing users from the list, send emails to
> the rest and wait for a response. If no response, you move them to a common
> staging area, and process them per your policy (change their passwords,
> disable them, lock them out, etc)
>
> It's a process thing. I want to assume that there is a product out there with
> this logic built-in. That product is simply not the OS - yet.
>
>
> Sincerely,
> _____
> (, / | /) /) /)
> /---| (/_ ______ ___// _ // _
> ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
> (_/ /)
> (/
> Microsoft MVP - Directory Services
> www.readymaids.com <http://www.readymaids.com> - we know IT
> www.akomolafe.com <http://www.akomolafe.com>
> Do you now realize that Today is the Tomorrow you were worried about
> Yesterday? -anon
>
>
> ________________________________
>
> From: [EMAIL PROTECTED] on behalf of Jef Kazimer
> Sent: Wed 4/19/2006 2:37 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] automatic account disable
>
>
>
> I'm curious, how would you show activitity other than the last time the user
> authenticated? Since disabling the account would only affect the ability to
> authenticate (not including any external logic or process built on account
> status), I'm curious what other ways you would show account inactivity if not
> by lastlogon or lastlogontimestamp?
>
>
>
> Thanks,
>
>
>
> Jef
>
>
>
> ________________________________
>
> > Subject: RE: [ActiveDir] automatic account disable
> > Date: Wed, 19 Apr 2006 14:25:24 -0700
> > From: [EMAIL PROTECTED]
> > To: ActiveDir@mail.activedir.org
> >
> > Still, there is nothing "automatic" natively in the OS to let him do this.
> > Policy or no policy, he is looking at external intervention - third-party
> or
> > a roll-your-own. Rolling his own may be burdensome because now he has to
> > account for the number of ways an account can be active without necessarily
> > logging in. Looking at Lastlogon or lastlogontimestamp is insufficient.
> >
> >
> > Sincerely,
> > _____
> > (, / | /) /) /)
> > /---| (/_ ______ ___// _ // _
> > ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
> > (_/ /)
> > (/
> > Microsoft MVP - Directory Services
> > www.readymaids.com <http://www.readymaids.com> - we know IT
> > www.akomolafe.com <http://www.akomolafe.com>
> > Do you now realize that Today is the Tomorrow you were worried about
> > Yesterday? -anon
> >
> >
> > ________________________________
> >
> > From: [EMAIL PROTECTED] on behalf of Al Mulnick
> > Sent: Wed 4/19/2006 1:13 PM
> > To: ActiveDir@mail.activedir.org
> > Subject: Re: [ActiveDir] automatic account disable
> >
> >
> > LOL. You're right, it is often advisable to disable first. I got caught
> up
> > in the moment ;)
> >
> > Myke, there was a long conversation about such things a few months ago.
> You
> > might want to search the archives to see what was said and see if you agree
> > about what it says and suggests.
> >
> > An additional point to consider: start with policy as Neil suggests. If
> you
> > have a policy that says to disable accounts and then delete later, or
> delete
> > based on disuse, enforcement is pretty much an easy thing to do. Without
> the
> > policy first, it can be a difficult train to ride.
> >
> >
> >
> > -ajm
> >
> >
> > On 4/19/06, [EMAIL PROTECTED] <[EMAIL PROTECTED] > wrote:
> >
> > Would you not disable the account instead of locking it?
> >
> > A locked account may be unlocked in time (depends upon policy),
> > whereas a disabled account needs admin intervention.
> >
> > my 2 penneth,
> > neil
> >
> > ________________________________
> >
> > From: [EMAIL PROTECTED] [mailto:
> > [EMAIL PROTECTED]
> > <mailto:[EMAIL PROTECTED]> ] On Behalf Of Al Mulnick
> > Sent: 19 April 2006 15:52
> >
> > To: ActiveDir@mail.activedir.org
> >
> > Subject: Re: [ActiveDir] automatic account disable
> >
> >
> >
> > It's possible. What's your criteria?
> >
> > DSQUERY, DSMOD are two tools that are touted as being able to do this
> > pretty easily. Joeware tools are better ( http://www.joeware.net
> > <http://www.joeware.net/> ) for this task IMHO. Scripts, etc can also be
> > used successfully.
> >
> > Al
> >
> >
> > On 4/19/06, Myke < [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> >
> > wrote:
> >
> >
> > hi guys,
> >
> > it's possible to make a automatic lockout in user accounts by
> > inactivity, or I need a third party tool?
> >
> > thanks
> >
> > Myke
> > List info : http://www.activedir.org/List.aspx
> > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > List archive:
> > http://www.mail-archive.com/activedir%40mail.activedir.org/
> >
> >
> >
> > PLEASE READ: The information contained in this email is confidential
> > and
> > intended for the named recipient(s) only. If you are not an intended
> > recipient of this email please notify the sender immediately and
> > delete your
> > copy from your system. You must not copy, distribute or take any
> > further
> > action in reliance on it. Email is not a secure method of
> > communication and
> > Nomura International plc ('NIplc') will not, to the extent permitted
> > by law,
> > accept responsibility or liability for (a) the accuracy or
> > completeness of,
> > or (b) the presence of any virus, worm or similar malicious or
> > disabling
> > code in, this message or any attachment(s) to it. If verification of
> > this
> > email is sought then please request a hard copy. Unless otherwise
> > stated
> > this email: (1) is not, and should not be treated or relied upon as,
> > investment research; (2) contains views or opinions that are solely
> > those of
> > the author and do not necessarily represent those of NIplc; (3) is
> > intended
> > for informational purposes only and is not a recommendation,
> > solicitation or
> > offer to buy or sell securities or related financial instruments.
> > NIplc
> > does not provide investment services to private customers. Authorised
> > and
> > regulated by the Financial Services Authority. Registered in England
> > no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St
> > Martin's-le-Grand,
> > London, EC1A 4NP. A member of the Nomura group of companies.
> >
> >
> > List info : http://www.activedir.org/List.aspx
> > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>
>
>
> ________________________________
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
