Unfortunately the event logs dont go back that far. And something else is touching the accounts and updating the whenchanged value.
-----Original Message----- From: Bjelke John A Contr AFRL/VSIO [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 20, 2003 12:57 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Determining when a user account was disabled. Clyde, Can you parse security logs on the DC's for Event ID: 629 Type: Success Audit Description: User Account Disabled? -----Original Message----- From: David Rudolph [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 20, 2003 1:11 PM To: Burns, Clyde Subject: RE: [ActiveDir] Determining when a user account was disabled. Have you tried the "whenChanged" attribute? -----Original Message----- From: Burns, Clyde [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 20, 2003 11:47 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Determining when a user account was disabled. Im trying to generate a report of disabled accounts that were disabled X number of days ago. Getting a report of which accounts are disabled was fairly straightforward* but I cannot find anything that will tell me when the account WAS disabled. I was wondering if anyone could tell me if such information is stored in AD or how to approximate the date. Right now Im thinking of pulling the last logon times from the domain controllers to ballpark the amount of time the accounts could have been disabled but thats a stopgap at best. Any tips or pointers would be greatly appreciated. Clyde Burns * VB6 code to generate report Set rootDSE = GetObject("LDAP://RootDSE";) Set Ou = GetObject("LDAP://"; & "CN=Users," & _ rootDSE.Get("defaultNamingContext")) Ou.Filter = Array("user") For Each Child In Ou Debug.Print _ Chr(34) & Child.sAMAccountName & Chr(34) & Chr(44) & _ Chr(34) & Child.DisplayName & Chr(34) & Chr(44) & _ Chr(34) & Child.accountdisabled & Chr(34) Next List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Anadarko Confidentiality Notice: This electronic transmission and any attached documents or other writings are intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. If you have received this communication in error, please immediately notify sender by return e-mail and destroy the communication. Any disclosure, copying, distribution or the taking of any action concerning the contents of this communication or any attachments by anyone other than the named recipient is strictly prohibited. List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
