RE: [ActiveDir] Change a password over PPTP Windows Domain
After changing your password over a vpn connection typically Windows xp will warn you to lock and unlock your machine to update your local credentials. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Hogenauer Sent: Thursday, October 26, 2006 10:46 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Change a password over PPTP Windows Domain - Yes- sorry. Our remote users use Windows XP Pro and connect to the Corp network via PPTP once online. Yes, they can use Ctrl+Alt+Del to change password but since they are logged in to their laptops locally using a cached account once they change their passwords they cannot get back into the latop. I'm trying to find a way that users can change they passwords over PPTP and not get locked out of their laptops Thanks! Mike From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Thursday, October 26, 2006 10:29 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Change a password over PPTP Windows Domain I'm very confused (haven't had a lot of coffee today)... Is the laptop a member of the domain? How are you changing the password? What exactly isn't working? You should be able to simply press CTRL + ALT + DEL and change the password just as you would if you were connected to the network via any other connection. Can you provide more information about what you mean by cache problems and dialup option? thanks, Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Hogenauer Sent: Thursday, October 26, 2006 1:06 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Change a password over PPTP Windows Domain Yes only on Windows XP - It looks like I need to edit the GINA.dll and enable fast user switching but that doesn't sound right to me... From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Onsomu Sent: Thursday, October 26, 2006 9:43 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Change a password over PPTP Windows Domain Only on Windows xp. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Hogenauer Sent: Thursday, October 26, 2006 9:30 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Change a password over PPTP Windows Domain All, Does anyone now a way I can change my Active Directory password on a laptop remotely while connoted to domain via PPTP? I keep running into cache problems with the local computer and I've tried using the dialup option but it still wont work after I change the password? Any help is greatly appreciated Thanks, Mike
[ActiveDir] ADMT v3 Profile cleanup options
Computer and user migration with ADMT v3 scenario:Users have local profiles (non-roaming). It appears as though when you migrate user and computer into new forest, the new user in the target forest logs into the same computer (now part of target domain) and a new profile is created; they are not routed into their existing profile. Just curious how you have all managed to get around this without interrupting the users too much. Windows Server 2003 and Windows XP Pro SP2 environment.Thanks,...D
Re: [ActiveDir] How to grant administrator from trusted forest local PC Admin rights
Excellent - I will try it out. ThanksDOn 10/26/06, Chong Ai Chung [EMAIL PROTECTED] wrote: You can use restricted group feature in GPO for this. Please refer to following link for more detail: http://www.msresource.net/content/view/45/46/ On 10/27/06, Danny [EMAIL PROTECTED] wrote: Looking for ideas on how to provide a domain administrator in a separate forest local administrator rights on all domain computers to assist with ADMT v3 computer migration. Thanks,...D -- CPDE - Certified Petroleum Distribution EngineerCCBC - Certified Canadian Beer Consumer
RE: [ActiveDir] list lastlogontime for every user script
by the short description in msdn, if sounds as if theres a comparison done when the user logs on. If its been at least a week since the value was updated, its subject to being updated again? At that point, the random calculation? :m:dsm:cci:mvp| marcusoh.blogspot.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, October 27, 2006 12:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] list lastlogontime for every user script It isn't, it is randomly calculated every time logonTime is updated. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, October 26, 2006 9:49 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] list lastlogontime for every user script How is this 9-14 day value tracked for each user object, by the way? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, October 26, 2006 5:34 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] list lastlogontime for every user script oldcmp Keep in mind that by default, lastLogonTimeStamp is not updated every day, it will be updated about every 9-14 days (14 days with a random swing of minus 0-5 days). You can output to csv or html, whatever is more convenient for you. Alternately if you just want to query the value directly, you can use adfindto generate the output. However, oldcmp tends to be easier for most folks. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon Linan Sent: Thursday, October 26, 2006 4:59 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] list lastlogontime for every user script Hi, I am trying to do an script or something that will list lastlogontime for all users so I can receive an email when someone has not use the account for more than 30 days. I have seen a couple of examples of half built scripts that don't work, I get lost when they start dealing with the converting the number to a date... Does anyone has a script will do some similar? does Joe ware has something similar? Thanks Ramon
Re: [ActiveDir] Security-enable all your distribution lists?
Thanks for the doc, Jorge; I'd missed that in my searches. And my initial reaction was not only no, but hell no! to the request. But when I examine it logically it's harder to reject out of hand. A little while ago, we did change the default for new DL group requests to be security enabled. And it seems to me that one would implicitly assume that if one were setting access to a resource like sharepoint, they would use the same thought process as when they're sending mail: Do I want everyone in this group to get this mail | have this access? - Harvey On 10/21/06, Al Mulnick [EMAIL PROTECTED] wrote: My first reaction is, NOOO don't do that. That's silly. I absolutely abhor the concept of convenience to this level when it comes to access to secured resources. Saying that, DG's are often created by default as a security group. I'd actually be surprised, and I would applaud the person that made that choice in your organization. From my perspective, the worst thing ever done by Microsoft was to allow DG's to be security groups. Made it easier to transition PF's sure, but the layer8 contingent doesn't understand the subtle differences between a distribution list and a security-enabled-distribution-group. This loosely translates into people that want to include somebody on their regular mail lists, but don't want them to necessarily have access to the same data shares. They do NOT understand the difference in most cases. I don't know sharepoint well enough to say, but I would be completely floored if they did not have a way to revert behavior. I also would be totally surprised if your information security people were OK with this concept for the reasons I mentioned above. TokenBloat is not the only concern you have here, Harvey. On 10/20/06, Harvey Kamangwitz [EMAIL PROTECTED] wrote: Hi all, I'm interested in your opinion here, and perhaps a heads-up on requirements that may be coming your way. We have a request from the sharepoint team to security-enable all of our 18,000 distribution lists. Our concern, naturally, is token size. What will this do to Joe User's access token? The issue is tied in to Sharepoint. Setting permissions on Sharepoint sites has always been kind of a pain, partly because of Sharepoint itself but also because of the nature of what you're doing. (DISCLAIMER: I'm nothing more than a just-beyond-basic Sharepoint user.) When you set up a teamsite for a project, you want to enable access to the site to the project people. Typically you use an existing group of people in your org ( e.g. your work group for a weekly meeting site), or you create a new group to manage access. Most work groups have mailing distribution lists, but I'll bet most are not security-enabled. So when you set up your teamsite, you have to wait and ask for IT to security-enable your DL so you can use it on your shiny new teamsite. (Unless you're one of us, in which case you can do it yourself :) In the current version of sharepoint, you can work around this by going to the GAL and manually adding individual users to site access. Apparently the next version of Sharepoint does not allow you to do this, forcing everyone that needs group access to security-enable their group. That's why they want to enable ALL of them, not just piecemeal. Our analysis shows that the MEDIAN number of distribution lists per user is relatively small (5-6) and the MEDIAN number of groups in Joe User's token is relatively small (40-50). But we have lots of users in the 100+ groups range, and the winner for greatest number of groups is 400! So...we have to do what we can to mitigate the impact for the large--token people. Do you folks have any feel for a you really don't want to go beyond there limit on token size? Any direct experience? There's no way we can know all the apps out there that might be affected by this. Thanks, Harvey
RE: [ActiveDir] ADMT v3 Profile cleanup options
* within the same forest -- no need to translate profiles (although different SID, GUID takes care of this) * between different forests -- profile translation is needed (different GUID and SID) you can use ADMT or any third party tool as soon as users start to use their new account you need to translate the profile Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Danny Sent: Fri 2006-10-27 15:32 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] ADMT v3 Profile cleanup options Computer and user migration with ADMT v3 scenario: Users have local profiles (non-roaming). It appears as though when you migrate user and computer into new forest, the new user in the target forest logs into the same computer (now part of target domain) and a new profile is created; they are not routed into their existing profile. Just curious how you have all managed to get around this without interrupting the users too much. Windows Server 2003 and Windows XP Pro SP2 environment. Thanks, ...D This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. winmail.dat
RE: [ActiveDir] Switching distibution lists to security groups
Thanks for the reply. I appreciate it. Is it safe for me to assume that the only consideration in doing this is the token size? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter Sent: Tuesday, October 24, 2006 9:24 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Switching distibution lists to security groups Rob- This came up just the other day. Check http://www.mail-archive.com/activedir@mail.activedir.org/msg47273.htmland see if the responses there help. Hunter From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Huber, Rob (HNI Corp) Sent: Tuesday, October 24, 2006 8:10 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Switching distibution lists to security groups Hello, This may be an easy answer, but I want to get feedback anyway. What are the potential problems/issues/concerns with switching distribution groups to security groups? Our Sharepoint group has rolled out Sharepoint site permissions based on DLs. I believe that DLs should be used for DLs and security groups should be used for security (or permissions in this case) and have encouraged them to set the permissions accordingly. Their counter is that the site owners do not know the membership of the security groups, but know the membership of their respective groups DLs and therefore it is easier to administrate the permissions that way. A simple fix would be to switch the DLs to security groups, however that seams a bit too simple.
Re: [ActiveDir] ADMT v3 Profile cleanup options
On 10/27/06, Almeida Pinto, Jorge de [EMAIL PROTECTED] wrote: * within the same forest -- no need to translate profiles (although different SID, GUID takes care of this)* between different forests -- profile translation is needed (different GUID and SID) Different forests.you can use ADMT or any third party tool Sorry, I am not familiar with what profile translation entails behind the scenes. Is profile translation when the new user simply has NTFS permissions to their old profile, but when they log into Windows a new empty/blank profile is created, and so if they wanted to all of their previous settings they would have to manually copy favourites, documents, etc. from their old profile to their new profile? as soon as users start to use their new account you need to translate the profile This will log the new user into the exisitng profile then?Thanks, JorgeD From: [EMAIL PROTECTED] on behalf of DannySent: Fri 2006-10-27 15:32To: ActiveDir@mail.activedir.org Subject: [ActiveDir] ADMT v3 Profile cleanup optionsComputer and user migration with ADMT v3 scenario:Users have local profiles (non-roaming). It appears as though when you migrate user and computer into new forest, the new user in the target forest logs into the same computer (now part of target domain) and a new profile is created; they are not routed into their existing profile. Just curious how you have all managed to get around this without interrupting the users too much. Windows Server 2003 and Windows XP Pro SP2 environment.Thanks,...DThis e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. -- CPDE - Certified Petroleum Distribution EngineerCCBC - Certified Canadian Beer Consumer
Re: [ActiveDir] Switching distibution lists to security groups
I don't think that's a safe consideration. The rest of the consideration is how the groups will be used over time. Immediate benefit is that your sharepoint system will be able to find them in the gal and see the groups. Great. The long term impact is that you will no longer be able to tell what is being used for what as far as acl's go. The implication is that you have extremely great controls on your dg's as well as your existing security groups. Most shops allow dg's with no thought that they would be used for anything other than mail. Typical maintenance for a mail group is to delete it when it has one user or to delete is when it is no longer in keeping with standards etc. The impact is very low so no need to really worry about it beyond is it useful. If it's also a security group, you've added a new dimension to your use of mail groups. I doubt seriously that Microsoft will continue to use that model in future versions. Of course, I can barely believe that they went with that model this time. To exclude the domain model in favor of using the GAL as an authentication source is so strange to me I almost can't fathom it. AlOn 10/27/06, Huber, Rob (HNI Corp) [EMAIL PROTECTED] wrote: Thanks for the reply. I appreciate it. Is it safe for me to assume that the only consideration in doing this is the token size? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Coleman, Hunter Sent: Tuesday, October 24, 2006 9:24 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Switching distibution lists to security groups Rob- This came up just the other day. Check http://www.mail-archive.com/activedir@mail.activedir.org/msg47273.htmland see if the responses there help. Hunter From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Huber, Rob (HNI Corp) Sent: Tuesday, October 24, 2006 8:10 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Switching distibution lists to security groups Hello, This may be an easy answer, but I want to get feedback anyway. What are the potential problems/issues/concerns with switching distribution groups to security groups? Our Sharepoint group has rolled out Sharepoint site permissions based on DLs. I believe that DLs should be used for DLs and security groups should be used for security (or permissions in this case) and have encouraged them to set the permissions accordingly. Their counter is that the site owners do not know the membership of the security groups, but know the membership of their respective groups DLs and therefore it is easier to administrate the permissions that way. A simple fix would be to switch the DLs to security groups, however that seams a bit too simple.
Re: [ActiveDir] Security-enable all your distribution lists?
Assume. Hmm.. That's been over done so I'll pass this time :)Harvey, I just replied to a similar thread on this with my thoughts. I won't bore you with repetition. But I'm curious what makes you want to assume anything when it comes to security issues like this? I think it's way to unpredictable to assume that users will understand that concept. That's me though. I'm not your user. On 10/27/06, Harvey Kamangwitz [EMAIL PROTECTED] wrote:Thanks for the doc, Jorge; I'd missed that in my searches. And my initial reaction was not only no, but hell no! to the request. But when I examine it logically it's harder to reject out of hand. A little while ago, we did change the default for new DL group requests to be security enabled. And it seems to me that one would implicitly assume that if one were setting access to a resource like sharepoint, they would use the same thought process as when they're sending mail: Do I want everyone in this group to get this mail | have this access? - Harvey On 10/21/06, Al Mulnick [EMAIL PROTECTED] wrote: My first reaction is, NOOO don't do that. That's silly. I absolutely abhor the concept of convenience to this level when it comes to access to secured resources. Saying that, DG's are often created by default as a security group. I'd actually be surprised, and I would applaud the person that made that choice in your organization. From my perspective, the worst thing ever done by Microsoft was to allow DG's to be security groups. Made it easier to transition PF's sure, but the layer8 contingent doesn't understand the subtle differences between a distribution list and a security-enabled-distribution-group. This loosely translates into people that want to include somebody on their regular mail lists, but don't want them to necessarily have access to the same data shares. They do NOT understand the difference in most cases. I don't know sharepoint well enough to say, but I would be completely floored if they did not have a way to revert behavior. I also would be totally surprised if your information security people were OK with this concept for the reasons I mentioned above. TokenBloat is not the only concern you have here, Harvey. On 10/20/06, Harvey Kamangwitz [EMAIL PROTECTED] wrote: Hi all, I'm interested in your opinion here, and perhaps a heads-up on requirements that may be coming your way. We have a request from the sharepoint team to security-enable all of our 18,000 distribution lists. Our concern, naturally, is token size. What will this do to Joe User's access token? The issue is tied in to Sharepoint. Setting permissions on Sharepoint sites has always been kind of a pain, partly because of Sharepoint itself but also because of the nature of what you're doing. (DISCLAIMER: I'm nothing more than a just-beyond-basic Sharepoint user.) When you set up a teamsite for a project, you want to enable access to the site to the project people. Typically you use an existing group of people in your org ( e.g. your work group for a weekly meeting site), or you create a new group to manage access. Most work groups have mailing distribution lists, but I'll bet most are not security-enabled. So when you set up your teamsite, you have to wait and ask for IT to security-enable your DL so you can use it on your shiny new teamsite. (Unless you're one of us, in which case you can do it yourself :) In the current version of sharepoint, you can work around this by going to the GAL and manually adding individual users to site access. Apparently the next version of Sharepoint does not allow you to do this, forcing everyone that needs group access to security-enable their group. That's why they want to enable ALL of them, not just piecemeal. Our analysis shows that the MEDIAN number of distribution lists per user is relatively small (5-6) and the MEDIAN number of groups in Joe User's token is relatively small (40-50). But we have lots of users in the 100+ groups range, and the winner for greatest number of groups is 400! So...we have to do what we can to mitigate the impact for the large--token people. Do you folks have any feel for a you really don't want to go beyond there limit on token size? Any direct experience? There's no way we can know all the apps out there that might be affected by this. Thanks, Harvey
RE: [ActiveDir] list lastlogontime for every user script
Thanks Matt for the script that you sent and thanks Joe for your tool. I used Joe's tool (no sexual connotation here) because it was easy and fast. I have just one question, I am getting some users with lastlogontimespamp /00/00-00:00:00 most of them (or all of them) are system users, like the systemmailbox. I bet this is because they never login into the system. This is the command that I used oldcmp -report -age 90 -users -llts is there a way of excluding disabled users from the results? Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Friday, October 27, 2006 12:40 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] list lastlogontime for every user script It isn't, it is randomly calculated every time logonTime is updated. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Thursday, October 26, 2006 9:49 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] list lastlogontime for every user script How is this 9-14 day value tracked for each user object, by the way? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, October 26, 2006 5:34 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] list lastlogontime for every user script oldcmp Keep in mind that by default, lastLogonTimeStamp is not updated every day, it will be updated about every 9-14 days (14 days with a random swing of minus 0-5 days). You can output to csv or html, whatever is more convenient for you. Alternately if you just want to query the value directly, you can use adfindto generate the output. However, oldcmp tends to be easier for most folks. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon LinanSent: Thursday, October 26, 2006 4:59 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] list lastlogontime for every user script Hi, I am trying to do an script or something that will list lastlogontime for all users so I can receive an email when someone has not use the account for more than 30 days. I have seen a couple of examples of half built scripts that don't work, I get lost when they start dealing with the converting the number to a date... Does anyone has a script will do some similar? does Joe ware has something similar? Thanks Ramon
[ActiveDir] OT: mswish has been retired
MSWISH has been retired and there are a couple places you can now send feedback. Check out: https://connect.microsoft.com/intro.aspx?wa=wsignin1.0 and if the product is not listed there, you can scroll down to the bottom of the web page for the product and click the link for Contact Us. Hope this helps! Have a great weekend!! Best Regards, Partner Community Lead -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] list lastlogontime for every user script
I used Joe's tool (no sexual connotation here) because it was easy and fast never mind half of the world does it! ;-) ROTFMAO Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Ramon Linan Sent: Fri 2006-10-27 20:51 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] list lastlogontime for every user script Thanks Matt for the script that you sent and thanks Joe for your tool. I used Joe's tool (no sexual connotation here) because it was easy and fast. I have just one question, I am getting some users with lastlogontimespamp /00/00-00:00:00 most of them (or all of them) are system users, like the systemmailbox. I bet this is because they never login into the system. This is the command that I used oldcmp -report -age 90 -users -llts is there a way of excluding disabled users from the results? Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, October 27, 2006 12:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] list lastlogontime for every user script It isn't, it is randomly calculated every time logonTime is updated. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, October 26, 2006 9:49 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] list lastlogontime for every user script How is this 9-14 day value tracked for each user object, by the way? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, October 26, 2006 5:34 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] list lastlogontime for every user script oldcmp Keep in mind that by default, lastLogonTimeStamp is not updated every day, it will be updated about every 9-14 days (14 days with a random swing of minus 0-5 days). You can output to csv or html, whatever is more convenient for you. Alternately if you just want to query the value directly, you can use adfind to generate the output. However, oldcmp tends to be easier for most folks. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon Linan Sent: Thursday, October 26, 2006 4:59 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] list lastlogontime for every user script Hi, I am trying to do an script or something that will list lastlogontime for all users so I can receive an email when someone has not use the account for more than 30 days. I have seen a couple of examples of half built scripts that don't work, I get lost when they start dealing with the converting the number to a date... Does anyone has a script will do some similar? does Joe ware has something similar? Thanks Ramon This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. winmail.dat
[ActiveDir] A few things [List Admin]
Hi all Just a couple of things. I will be out of the country for three weeks from tomorrow, with only intermittent access to email. While I am away Matty Holland will be looking after the list. If you see any problems or need help with unsubscribing, etc. then Matty is your man ([EMAIL PROTECTED]). Please play nicely while I'm away or I won't bring you a present. ;-) I am aware of the ongoing list latency problems and am awaiting a response from my ISP. Hopefully it will be resolved shortly. I suspect it might be related to volume as we the number of subscribed users has grown quite sharply over the past few months. You may have noticed the recent time-out issues with the archive hosted at ActiveDir.org. The experiment we had with using Mhonarc for archiving largely failed due to the poor performance. We are working on a new archive using a different method and this should be available shortly. In the meantime, please use the off-site archive at http://www.mail-archive.com/activedir@mail.activedir.org/ Finally, a reminder that you can subscribe to the list with the "No mail" (aka post-only)option, which is useful if you have a public folder subscribed to the list but also want to be able to post (but not receive mail) using your own address. If you want me to set you up for this, just let me know (but bear in mind that I may not get around to it immediately, because I'll be on the beach - ha ha ha). Tony ActiveDir.org general dogsbody.
RE: [ActiveDir] A few things [List Admin]
Tony, Ive moved in and out of the group since 2000, and just wanted to thank you for all your effort keeping this beast going over the years. The list made a real difference to my career over the years, and I still cant pull myself away from keeping up-to-date (to a degree) with AD. This community is now second to none I dont get the time Id like to contribute, but thanks are due to all the guys that do. Rob Robert Rutherford QuoStar Solutions Limited T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: 27 October 2006 22:51 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] A few things [List Admin] Hi all Just a couple of things. I will be out of the country for three weeks from tomorrow, with only intermittent access to email. While I am away Matty Holland will be looking after the list. If you see any problems or need help with unsubscribing, etc. then Matty is your man ([EMAIL PROTECTED]). Please play nicely while I'm away or I won't bring you a present. ;-) I am aware of the ongoing list latency problems and am awaiting a response from my ISP. Hopefully it will be resolved shortly. I suspect it might be related to volume as we the number of subscribed users has grown quite sharply over the past few months. You may have noticed the recent time-out issues with the archive hosted at ActiveDir.org. The experiment we had with using Mhonarc for archiving largely failed due to the poor performance. We are working on a new archive using a different method and this should be available shortly. In the meantime, please use the off-site archive at http://www.mail-archive.com/activedir@mail.activedir.org/ Finally, a reminder that you can subscribe to the list with the No mail (aka post-only)option, which is useful if you have a public folder subscribed to the list but also want to be able to post (but not receive mail) using your own address. If you want me to set you up for this, just let me know (but bear in mind that I may not get around to it immediately, because I'll be on the beach - ha ha ha). Tony ActiveDir.org general dogsbody.
Re: [ActiveDir] list lastlogontime for every user script
I believe at last count it was way more than half the world was using joe's tool. Likely because it's fast, free, easy to use and the best around. (-; Well, half the world I tend to live in anyway. On 10/27/06, Almeida Pinto, Jorge de [EMAIL PROTECTED] wrote: I used Joe's tool (no sexual connotation here) because it was easy and fastnever mind half of the world does it! ;-) ROTFMAOMet vriendelijke groeten / Kind regards,Ing. Jorge de Almeida PintoSenior Infrastructure ConsultantMVP Windows Server - Directory ServicesLogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777( Mobile : +31-(0)6-26.26.62.80* E-mail : see sender addressFrom: [EMAIL PROTECTED] on behalf of Ramon LinanSent: Fri 2006-10-27 20:51To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] list lastlogontime for every user script Thanks Matt for the script that you sent and thanks Joe for your tool.I used Joe's tool (no sexual connotation here) because it was easy and fast.I have just one question, I am getting some users with lastlogontimespamp /00/00-00:00:00 most of them (or all of them) are system users, like the systemmailbox. I bet this is because they never login into the system. This is the command that I used oldcmp -report -age 90 -users -lltsis there a way of excluding disabled users from the results?ThanksFrom: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of joeSent: Friday, October 27, 2006 12:40 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] list lastlogontime for every user scriptIt isn't, it is randomly calculated every time logonTime is updated.--O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htmFrom: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of [EMAIL PROTECTED]Sent: Thursday, October 26, 2006 9:49 PM To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] list lastlogontime for every user scriptHow is this 9-14 day value tracked for each user object, by the way? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of joe Sent: Thursday, October 26, 2006 5:34 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] list lastlogontime for every user scriptoldcmp Keep in mind that by default, lastLogonTimeStamp is not updated every day, it will be updated about every 9-14 days (14 days with a random swing of minus 0-5 days).You can output to csv or html, whatever is more convenient for you. Alternately if you just want to query the value directly, you can use adfind to generate the output.However, oldcmp tends to be easier for most folks.joe-- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htmFrom: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Ramon LinanSent: Thursday, October 26, 2006 4:59 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] list lastlogontime for every user scriptHi,I am trying to do an script or something that will list lastlogontime for all users so I can receive an email when someone has not use the account for more than 30 days. I have seen a couple of examples of half built scripts that don't work, I get lost when they start dealing with the converting the number to a date...Does anyone has a script will do some similar? does Joe ware has something similar? ThanksRamonThis e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
Re: [ActiveDir] Exchange Log files --Disk Full--
I've found, with NTbackup, that if you cram two or more tasks into a backup job, it's very likely to fail. For example, if you do a System State and a file backup and an Exchange backup in the same job. It's best to separate each task into its own job, and sort it out in the scheduling. A mixed job will also work for a while and then fail, which sounds like what happened to OP. - Original Message - From: Wells, James Arthur To: ActiveDir@mail.activedir.org Cc: Technical Support Sent: Thursday, October 26, 2006 2:21 PM Subject: RE: [ActiveDir] Exchange Log files --Disk Full-- Do you have multiple information stores on this storage group? (If using Exchange Enterprise edition)...the logs can't flush until all stores have a full backup, because the logs are shared... --James From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Technical SupportSent: Thursday, October 26, 2006 3:16 PMTo: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Exchange Log files --Disk Full-- Hi, I am running Normal Backup. Using NTBackup Utility. Backing up Information store. From: [EMAIL PROTECTED] on behalf of Missy KosloskySent: Thu 10/26/2006 12:49 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Exchange Log files --Disk Full-- Are you running full (AKA normal) backups every night? It seems not. Use NTBackup to backup to disk (obviously, you'll need a disk with over 120GB of available space) and then use whatever normal program you use to back that backup onto tape. This will keep you running until you sort out why your normal backup software isn't flushing the logs when the backup completes. How are you currently running backups? What software is in use? Are you sure it's Exchange aware? Are you doing brick level backups or copy backups instead of a full backup? Neither will flush the logs. I'd resolve this as quickly as possible, because if you are in a situation where you have to replay the logs, you're NOT going to be a happy camper. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Technical SupportSent: Thursday, October 26, 2006 11:09 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Exchange Log files --Disk Full-- Hi All, Kindly suggest, what i can do about my Exchange Log files? I have about 120 GB Log files for past 4 months. I havea few doubts:- Do i really need all those log files? If yes, Then how is it possible to manage with this as i have a very limited space left. Can i delete these log files? Backup doesnt remove these log files? i am really running out of space on my Exchange log storage drive. Thanks!!! Ravi
Re: [ActiveDir] Exchange Log files --Disk Full--
Granted we have smaller things to backup...but uh... we're backing up system state, file backups, exchange 'and' the kitchen sink service backup all at once and everything works. If you want to do ntbackup tweakage check out backupassist http://www.backupassist.com/index.html Albert Duro wrote: I've found, with NTbackup, that if you cram two or more tasks into a backup job, it's very likely to fail. For example, if you do a System State and a file backup and an Exchange backup in the same job. It's best to separate each task into its own job, and sort it out in the scheduling. A mixed job will also work for a while and then fail, which sounds like what happened to OP. - Original Message - *From:* Wells, James Arthur mailto:[EMAIL PROTECTED] *To:* ActiveDir@mail.activedir.org mailto:ActiveDir@mail.activedir.org *Cc:* Technical Support mailto:[EMAIL PROTECTED] *Sent:* Thursday, October 26, 2006 2:21 PM *Subject:* RE: [ActiveDir] Exchange Log files --Disk Full-- Do you have multiple information stores on this storage group? (If using Exchange Enterprise edition)...the logs can't flush until all stores have a full backup, because the logs are shared... --James *From:* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Technical Support *Sent:* Thursday, October 26, 2006 3:16 PM *To:* ActiveDir@mail.activedir.org mailto:ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org mailto:ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Exchange Log files --Disk Full-- Hi, I am running Normal Backup. Using NTBackup Utility. Backing up Information store. *From:* [EMAIL PROTECTED] on behalf of Missy Koslosky *Sent:* Thu 10/26/2006 12:49 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Exchange Log files --Disk Full-- Are you running full (AKA normal) backups every night? It seems not. Use NTBackup to backup to disk (obviously, you'll need a disk with over 120GB of available space) and then use whatever normal program you use to back that backup onto tape. This will keep you running until you sort out why your normal backup software isn't flushing the logs when the backup completes. How are you currently running backups? What software is in use? Are you sure it's Exchange aware? Are you doing brick level backups or copy backups instead of a full backup? Neither will flush the logs. I'd resolve this as quickly as possible, because if you are in a situation where you have to replay the logs, you're NOT going to be a happy camper. *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Technical Support *Sent:* Thursday, October 26, 2006 11:09 AM *To:* ActiveDir@mail.activedir.org *Subject:* [ActiveDir] Exchange Log files --Disk Full-- Hi All, Kindly suggest, what i can do about my Exchange Log files? I have about 120 GB Log files for past 4 months. I have a few doubts:- Do i really need all those log files? If yes, Then how is it possible to manage with this as i have a very limited space left. Can i delete these log files? Backup doesnt remove these log files? i am really running out of space on my Exchange log storage drive. *Thanks!!!* Ravi -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] list lastlogontime for every user script
Every time an auth occurs that updates the lastLogon (not logonTime like I miswrote last time) attribute a calculation is done based on the update frequency value. This frequency can be modified by updating the msDS-LogonTimeSyncInterval attribute on the domain NC head (for AD). If the update frequency isgreater than the swing value (5 days) then the update frequency value is modified by subtracting a random number in the range of 0-5. That resulting value (by default 9-14 days) is then compared to the length of time it has been since the last update. If the time has exceeded that value, the stamp is updated. The minimum frequency value for AD is 1 day, the max is in the hundreds of years so not something you will likely notice a problem with. ADAM allows you to specify 0 through the ADAMLastLogonTimestampWindow entry of the msDS-Other-Settings attribute of the nTDSService object for the instance which means update the attribute for every logon. This isn't an issue with ADAM as it is with AD since with AD your machine can be doing auths on your behalf all through the day and causing a lot of replication. ADAM auth is all very directed and specific. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Friday, October 27, 2006 9:44 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] list lastlogontime for every user script by the short description in msdn, if sounds as if theres a comparison done when the user logs on. If its been at least a week since the value was updated, its subject to being updated again? At that point, the random calculation? :m:dsm:cci:mvp| marcusoh.blogspot.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Friday, October 27, 2006 12:40 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] list lastlogontime for every user script It isn't, it is randomly calculated every time logonTime is updated. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Thursday, October 26, 2006 9:49 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] list lastlogontime for every user script How is this 9-14 day value tracked for each user object, by the way? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, October 26, 2006 5:34 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] list lastlogontime for every user script oldcmp Keep in mind that by default, lastLogonTimeStamp is not updated every day, it will be updated about every 9-14 days (14 days with a random swing of minus 0-5 days). You can output to csv or html, whatever is more convenient for you. Alternately if you just want to query the value directly, you can use adfindto generate the output. However, oldcmp tends to be easier for most folks. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon LinanSent: Thursday, October 26, 2006 4:59 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] list lastlogontime for every user script Hi, I am trying to do an script or something that will list lastlogontime for all users so I can receive an email when someone has not use the account for more than 30 days. I have seen a couple of examples of half built scripts that don't work, I get lost when they start dealing with the converting the number to a date... Does anyone has a script will do some similar? does Joe ware has something similar? Thanks Ramon
RE: [ActiveDir] list lastlogontime for every user script
First off... let's go with using the word utilityversustool ;o) Second off yeah they are pretty popular. I got a lot of pings from various MSFT and other consultant type friends who seem to run into my utilities in the wild pretty regularly. This penetration is greater in the primarily english speaking world (North America, UK, Western Europe, Australia, and militaries of those areas globally) as the utilities really better for targeted at English environments. UNICODE and other special characters (anything with umlauts, etc) are kind of a pain to deal with from the command line. Anyone who has used adfind to output something that has characters like éèà has noticed that to the command line, that ends up looking something like dn:CN=TestGroupΘΦα,OU=TestOU,DC=joe,DC=com but if that same output is redirected to a text file via standard redirection it looks like dn:CN=TestGroupéèà,OU=TestOU,DC=joe,DC=com and I can assure you adfind is doing nothing different which is the problem. I have worked through some of that with some new routines and that is the V2 versions of AdFind/AdMod I occasionally mention as it will take very radical changes to use the new strings. I have done it with some other code I have written but nothing I have released yet as I am still tinkering with it. Basically I have to try and work out where you are sending the output in order to determine how to output it. I have no clue what would happen if you tried to use adfind in an environment with true multibyte characters like say a Chinese edition. I expect it would blow up magnifiscently. I am curious if even dsquery would work in that environment. Doing this in the GUI is immensely easier which sounds odd, most people would tend to think that console apps are easier to write than GUI. I find it just the opposite, GUI is easier for most everything especially character encoding and threaded output but I find the GUI less useful than the console. And with Server Core coming...The joeware stuffwill become even more popular as my utilities are very nice console utilities AND they are all FAT-free, err I mean NET-free. ;o) Twice the power, triple the taste, tenth of the calories and actually work on Server Core... -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: Friday, October 27, 2006 10:19 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] list lastlogontime for every user script I believe at last count it was way more than half the world was using joe's tool. Likely because it's fast, free, easy to use and the best around. (-; Well, half the world I tend to live in anyway. On 10/27/06, Almeida Pinto, Jorge de [EMAIL PROTECTED] wrote: I used Joe's tool (no sexual connotation here) because it was easy and fastnever mind half of the world does it! ;-) ROTFMAOMet vriendelijke groeten / Kind regards,Ing. Jorge de Almeida PintoSenior Infrastructure ConsultantMVP Windows Server - Directory ServicesLogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777( Mobile : +31-(0)6-26.26.62.80* E-mail : see sender addressFrom: [EMAIL PROTECTED] on behalf of Ramon LinanSent: Fri 2006-10-27 20:51To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] list lastlogontime for every user script Thanks Matt for the script that you sent and thanks Joe for your tool.I used Joe's tool (no sexual connotation here) because it was easy and fast.I have just one question, I am getting some users with lastlogontimespamp /00/00-00:00:00 most of them (or all of them) are system users, like the systemmailbox. I bet this is because they never login into the system. This is the command that I used oldcmp -report -age 90 -users -lltsis there a way of excluding disabled users from the results?ThanksFrom: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of joeSent: Friday, October 27, 2006 12:40 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] list lastlogontime for every user scriptIt isn't, it is randomly calculated every time logonTime is updated.--O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htmFrom: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of [EMAIL PROTECTED]Sent: Thursday, October 26, 2006 9:49 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] list lastlogontime for every user scriptHow is this 9-14 day value tracked for each user object, by the way? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of joe Sent: Thursday, October 26, 2006 5:34 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] list lastlogontime for every user scriptoldcmp Keep in mind that by default,
RE: [ActiveDir] list lastlogontime for every user script
Those zero's mean the value isn't set. There are several requests for change for oldcmp asking for an -onlyenabled switch. It is on the list and will go in when I work on it next. In the meanwhile you can use -bit -af "(!(useraccountcontrol:AND:=2))" Also if you want to filter out users/computers that don't have a value set for the pwdLastSet or lastLogonTimeStamp, whichever is currently being used, you can use the -realage switch. I really need to open up that project and poke around, it is getting long in the tooth, last update was December 2004, hard tobelieve it has been out there for so long running so well for so many people. As a side question, would anyone be terribly disappointed if the DHTML option went away? Just trying to get a feel for it, I don't get much email on it so am wondering if it is being used all that much. It seems in larger output files, IE just gets torn up trying to display those files. Personally I think it is fun, but if people aren't using it, it is a lot of code complexityfor naught. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon LinanSent: Friday, October 27, 2006 2:52 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] list lastlogontime for every user script Thanks Matt for the script that you sent and thanks Joe for your tool. I used Joe's tool (no sexual connotation here) because it was easy and fast. I have just one question, I am getting some users with lastlogontimespamp /00/00-00:00:00 most of them (or all of them) are system users, like the systemmailbox. I bet this is because they never login into the system. This is the command that I used oldcmp -report -age 90 -users -llts is there a way of excluding disabled users from the results? Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Friday, October 27, 2006 12:40 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] list lastlogontime for every user script It isn't, it is randomly calculated every time logonTime is updated. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Thursday, October 26, 2006 9:49 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] list lastlogontime for every user script How is this 9-14 day value tracked for each user object, by the way? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, October 26, 2006 5:34 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] list lastlogontime for every user script oldcmp Keep in mind that by default, lastLogonTimeStamp is not updated every day, it will be updated about every 9-14 days (14 days with a random swing of minus 0-5 days). You can output to csv or html, whatever is more convenient for you. Alternately if you just want to query the value directly, you can use adfindto generate the output. However, oldcmp tends to be easier for most folks. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon LinanSent: Thursday, October 26, 2006 4:59 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] list lastlogontime for every user script Hi, I am trying to do an script or something that will list lastlogontime for all users so I can receive an email when someone has not use the account for more than 30 days. I have seen a couple of examples of half built scripts that don't work, I get lost when they start dealing with the converting the number to a date... Does anyone has a script will do some similar? does Joe ware has something similar? Thanks Ramon
RE: [ActiveDir] list lastlogontime for every user script
Tool.penetration Tony took a vacation and this is what this list is turning into Time to go wash my brains. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: joeSent: Fri 10/27/2006 9:50 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] list lastlogontime for every user script First off... let's go with using the word utilityversustool ;o) Second off yeah they are pretty popular. I got a lot of pings from various MSFT and other consultant type friends who seem to run into my utilities in the wild pretty regularly. This penetration is greater in the primarily english speaking world (North America, UK, Western Europe, Australia, and militaries of those areas globally) as the utilities really better for targeted at English environments. UNICODE and other special characters (anything with umlauts, etc) are kind of a pain to deal with from the command line. Anyone who has used adfind to output something that has characters like éèà has noticed that to the command line, that ends up looking something like dn:CN=TestGroupΘΦα,OU=TestOU,DC=joe,DC=com but if that same output is redirected to a text file via standard redirection it looks like dn:CN=TestGroupéèà,OU=TestOU,DC=joe,DC=com and I can assure you adfind is doing nothing different which is the problem. I have worked through some of that with some new routines and that is the V2 versions of AdFind/AdMod I occasionally mention as it will take very radical changes to use the new strings. I have done it with some other code I have written but nothing I have released yet as I am still tinkering with it. Basically I have to try and work out where you are sending the output in order to determine how to output it. I have no clue what would happen if you tried to use adfind in an environment with true multibyte characters like say a Chinese edition. I expect it would blow up magnifiscently. I am curious if even dsquery would work in that environment. Doing this in the GUI is immensely easier which sounds odd, most people would tend to think that console apps are easier to write than GUI. I find it just the opposite, GUI is easier for most everything especially character encoding and threaded output but I find the GUI less useful than the console. And with Server Core coming...The joeware stuffwill become even more popular as my utilities are very nice console utilities AND they are all FAT-free, err I mean NET-free. ;o) Twice the power, triple the taste, tenth of the calories and actually work on Server Core... -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: Friday, October 27, 2006 10:19 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] list lastlogontime for every user script I believe at last count it was way more than half the world was using joe's tool. Likely because it's fast, free, easy to use and the best around. (-; Well, half the world I tend to live in anyway. On 10/27/06, Almeida Pinto, Jorge de [EMAIL PROTECTED] wrote: I used Joe's tool (no sexual connotation here) because it was easy and fastnever mind half of the world does it! ;-) ROTFMAOMet vriendelijke groeten / Kind regards,Ing. Jorge de Almeida PintoSenior Infrastructure ConsultantMVP Windows Server - Directory ServicesLogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777( Mobile : +31-(0)6-26.26.62.80* E-mail : see sender addressFrom: [EMAIL PROTECTED] on behalf of Ramon LinanSent: Fri 2006-10-27 20:51To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] list lastlogontime for every user script Thanks Matt for the script that you sent and thanks Joe for your tool.I used Joe's tool (no sexual connotation here) because it was easy and fast.I have just one question, I am getting some users with lastlogontimespamp /00/00-00:00:00 most of them (or all of them) are system users, like the systemmailbox. I bet this is because they never login into the system. This is the command that I used oldcmp -report -age 90 -users -lltsis there a way of excluding disabled users from the results?ThanksFrom: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of joeSent: Friday, October 27, 2006 12:40 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] list lastlogontime for every user scriptIt isn't, it is randomly calculated every time logonTime is updated.--O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htmFrom: mailto:[EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of [EMAIL PROTECTED]Sent: Thursday, October 26, 2006 9:49 PMTo: