|
You can actually use two attributes for cleaning up
computer accounts. The most accurate one is pwdlastset. Passwords on W2K+
machines unless defaults have been tweaked are changed every 30 days. If I
recall, they can change the password for up to 30 days after the last one has
gone bad so basically any machine accounts up to 60 days should be considered
valid. Outside of 60 days I *think* you will need to reset the account in order
to use it anyway.
Note that doesn't apply to people playing with SAMBA or TAS
or other SMB Emulators. Definitely take note of things like EMC's Celerra which
currently NEVER changes its password if joined in the AD way instead of the NT4
way though that is a request the company I consult for has in. I would expect
other systems trying to fake being Windows Servers like NetApp and others could
have the same issue.
The other attribute you can look at is the whenchanged
attribute however, any change to the machine accounts will update that value so
some accounts could be kept alive by people making random
changes.
Overall if just dealing with Windows machines you should be
able to remove them if the pwdLastSet attribute is 60 days or older, you
may want to standardize on 90 or even 120 days though.
Note that there is a free tool called secdata on the free
win32 tools page of www.joeware.net that
will dump computer (or alternatively user) objects for you if you want in a
CSV format and will decode the pwdlastset date so you can sort it in excel or
whatever. It gives several pieces of security info for a given DC for the given
objects. The values dumped are
sAMAccountName
cn
distinguishedName
badPasswordTime (not replicated)
badPwdCount (not replicated)
lastLogon (not replicated)
logonCount (not replicated)
pwdLastSet
PwdAge
lockoutTime
accountExpires
createTimeStamp
ObjAg
modifyTimeStamp
ModAge
userAccountControl (this is decoded not a bit
flag)
joe
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Monday, December 22, 2003 11:00 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] inactive computers question I know that dsquery and dsrm are good for AD2003 environments to find and remove inactive computer accounts in AD, as is Robbie’s script. Someone on the SMS list has AD 2000 though, dsquery doesn’t work, and Robbie’s script is returning nothing. Even if the info is not easily convertible to a date, seems like you should be able to sort by a column in a csvde export and see the same information – i.e. sort by pwdLastSet? Any ideas? It looked like lastLogonTimestamp might be a good one… but alas that’s new with 2003 so that’s no good for him. The main source of my confusion is that dsquery and a sort by pwdLastSet do not show the same computers as being inactive the longest.
Thanks Rich -------APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE------- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system. |
- [ActiveDir] inactive computers question Rich Milburn
- RE: [ActiveDir] inactive computers question deji Agba
- RE: [ActiveDir] inactive computers question Joe
- RE: [ActiveDir] inactive computers question Jorge de Almeida Pinto
- RE: [ActiveDir] inactive computers questio... rrutherford
- RE: [ActiveDir] inactive computers question Jorge de Almeida Pinto
- RE: [ActiveDir] inactive computers question Roger Seielstad
- RE: [ActiveDir] inactive computers question Coleman, Hunter
- RE: [ActiveDir] inactive computers question Rimmerman, Russ
- RE: [ActiveDir] inactive computers question deji
- RE: [ActiveDir] inactive computers question Isham, Alan A
- RE: [ActiveDir] inactive computers question Rich Milburn
