RE: [ActiveDir] LDAP & LastLogin for Computers

[Joe]

Title: Message

Yep. This is exactly how it should be done. If you have any Samba or crappy CIFS/SMB emulators (won't mention specific storage companies but they know who they are and hopefully are fixing this issue at the speed of light) watch out though because they set the password to never expire on the machine account and then don't change it.   If you don't want to script, go grab secdata from www.joeware.net on the free win32 tools page. With the /computers option it will dump a csv type format of computers (you can specify a base dn and/or computer name filter) and some of the security info including last logon (for that dc), password change, useraccount flags, etc.      joe   -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Thursday, August 07, 2003 9:12 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] LDAP & LastLogin for Computers You're doing this the hard way.   Its far easier to know that computers will change their password automatically after 30 days. Look for any computer account with a password age say greater than 90 days and then take action. Keep in mind also that password age (in the form of the date the password was last set) is a replicated attribute within a domain, so you only need to query a single DC.   Roger -------------------------------------------------------------- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -----Original Message----- From: Coleman, Hunter [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 06, 2003 10:10 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] LDAP & LastLogin for Computers I'm getting the computer "lastlogin" attribute, which as I understand it is the most recent time that the workstation authenticated to a domain controller. I believe the oldest this timestamp would be is the last time the machine started up. Also, lastlogin is not a replicated attribute, so you have to check either all of the domain controllers or at a minimum all of the domain controllers in the workstation's site in order to get an accurate value. I'll send you a copy of the script separately.   Hunter From: Glenn Corbett [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 06, 2003 7:28 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] LDAP & LastLogin for Computers Hunter,   Are you actually querying the workstation, or just the user accounts ? If your finding out when a computer was last logged onto, I would LOVE to have a copy of the script as well (so I can kick our desktop support guys in the bum to clean up *MY* AD) *grin*   Glenn [EMAIL PROTECTED]     ----- Original Message ----- From: Coleman, Hunter To: '[EMAIL PROTECTED]' Sent: Thursday, August 07, 2003 3:48 AM Subject: RE: [ActiveDir] LDAP & LastLogin for Computers I've sent you off-list a copy of a script we use to get this information. Hope it helps   Hunter From: England, Christopher M [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 06, 2003 8:22 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] LDAP & LastLogin for Computers Greetings all, I am trying to pull LDAP queries on computer accounts and I want to find out the last time someone logged into the machine. "WhenModified" is just the computer account object and "LastLogin" is just for user accounts. Am I out of luck? What I have is this: 400 or so computer accounts in one OU (with many sub-OUs) probably need to be 1) moved to a new OU or 2) deleted. #1 happens if they have logged in in say the last few months. #2 if not. Any suggestions would be great! Thanks, Chris --------------------------------------------------------- Christopher England Server Administrator MCSA, Server+, Network+, A+ College Information Technology Office Indiana University