[ActiveDir] AD LDAP Data Conversion Question

2004-10-27 Thread Menten, Jeff 
Title: AD LDAP Data Conversion Question





All,


I would like to extract the lastLogon value from AD to check for orphan workstations, etc. This attribute has an INTEGER8 format - which, as far as I can tell, is an eight-byte data structure. Does anyone know of an easy way to convert this value via VBscript to a readable format that will actually print?

Thanks,
 - Jeff M.





___
CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is 
for the sole use of the intended recipient(s) and may contain confidential 
and privileged information. Any unauthorized review, use, disclosure or 
distribution is prohibited. If you are not the intended recipient, please 
contact the sender by reply e-mail and destroy all copies of the original 
message.

RE: [ActiveDir] Sarbannes Oxley compliance

2004-06-25 Thread Menten, Jeff 



We 
customarily use terminal server to connect tothe server we want to modify, 
then logon with administrator credentials. If you connect to a DC, then you have 
AD tools available as well. Since email, IIS, etc. are not installed on servers, 
the opportunity for compromising the system is minimized.

 - Jeff M.


From: Mulnick, Al [mailto:[EMAIL PROTECTED] 
Sent: Friday, June 25, 2004 07:00To: 
'[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Sarbannes 
Oxley compliance

Why can't you start explorer using runas? Shortcut to 
the desktop for explorer.exe. Shift+Right-click, runas, 
etc...
What about term services? You can always go that 
route as well if it's sensitive data. 

We have the separate accounts as a best practice vs. a 
compliance issue. The best practice came first. With minor 
exceptions, it works fine to date. YMMV due to particular cultural and 
infrastructure changes, but that's going to be for any change as far as I'm 
concerned.

Al


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg, David 
ASent: Thursday, June 24, 2004 9:53 AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Sarbannes Oxley 
compliance

We try 
to maintain a least privilege model, and are in the process of tightening down 
further. 'Best practices' that you often read about suggest each admin 
have a'break glass' kind of administrativeaccount seperate from 
their 'day-to-day user' account. We're moving in that direction. One 
of the issues there seems to be that admins are used to managing files and 
setting NTFS permissions via Explorer...as far as I know, you can't just start 
up a new explorer with Runas. I suppose they could use CACLS from a 
command prompt, but most want a GUI.

So 
I'll add that to Mark's original question...how do y'all approach that if you 
use seperate 'admin' accounts for your admins ?
Dave

  -Original Message-From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]On Behalf Of Creamer, 
  MarkSent: Wednesday, June 23, 2004 12:21 PMTo: 
  [EMAIL PROTECTED]Subject: [ActiveDir] Sarbannes Oxley 
  compliance
  
  I'm 
  curious what, if any, changes to everyday administration the folks on this 
  list are making in preparation for Sarbannes Oxley compliance. Specifically, 
  is anyone making a conscious effort to remove daily admin rights from people 
  whose job it is to do domain administration, in favor of a "break the glass 
  when needed" type of philosophy? I'm just starting to look into this, but I'm 
  getting the feeling some companies are going overboard. Any observation from 
  the group is always welcome...
  
  Mark 
  Creamer

 

 

 

___

CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is 

for the sole use of the intended recipient(s) and may contain confidential 

and privileged information.  Any unauthorized review, use, disclosure or 

distribution is prohibited.  If you are not the intended recipient, please 

contact the sender by reply e-mail and destroy all copies of the original 

message.