|
Hmmm, no not on purpose (these would have to be set on purpose…) and GPOs are still pretty clean. When I get a chance I’ll see what I can find on these, it shouldn’t be two difficult to script something to check whatever, since it’s easy to get a nice list of computers.
I know one computer in particular is in the DMZ, with a firewall in between, so perhaps the FW is blocking the password change. Others have been removed for a long time, but they do not appear in inactive list.
Thanks for everyone’s help though… Rich
From: Jorge de Almeida
Pinto [mailto:[EMAIL PROTECTED]
Hi Rich,
From my knowledge the password change request is initiated by the COMPUTER itself to a domain controller. Your output lets us believe that the computers do not change their password or something goes wrong when they want to change their password. To disable the computer account password change to solutions exist: * Configure the domain controller to negled the change request by the computer (the computer still requests to change the password!) HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters RefusePasswordChange [1|0]
* Disable the computer from requesting a passoword change. HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters DisablePasswordChange [1|0]
Is one of the above configured somehow?
Regards,
Jorge
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Jorge –
The thing I’m not understanding is why there are so many more computers with stale passwords, half of them over 6 months old, yet I only get a handful when running inactive for the same time period (12 weeks or 90 days for –stalepwd). Unless computers can log onto the domain for months without changing their password?
Thanks – Rich
From: Jorge de Almeida
Pinto [mailto:[EMAIL PROTECTED]
-inactive NumberOfWeeks (number of weeks that a PC has not logged on to the domain) Searches for all computers that have been inactive (stale) for the specified number of weeks. -stalepwd NumberOfDays (number of days that a PC uses the same password) Searches for all computers that have not changed their password for the specified number of days.
is this any help? Regards, Jorge
From: Rich
Milburn [mailto:[EMAIL PROTECTED] Does anyone know what the difference is between inactive and stale password? I see there are a lot more computers listed with the command: dsquery computer –inactive 12 than I do if I run the following: dsquery computer –stalepwd 90 I get about 10 with inactive, but 176 with stalepwd. I noticed this first because I used –inactive to clean up the directory initially, and then with Joe’s new tool I was surprised at how many must have “slipped through the cracks” – until I ran the one with –stalepwd which gives the same output as oldcmp.
Any ideas?
Rich
-------APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE------- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system.
-------APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE------- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system.
-------APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE------- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system. |
- [ActiveDir] dsquery computer -inactive vs -stalepwd Rich Milburn
- Re: [ActiveDir] dsquery computer -inactive vs ... Tony Murray
- RE: [ActiveDir] dsquery computer -inactive vs ... Rich Milburn
- RE: [ActiveDir] dsquery computer -inactive vs ... Jorge de Almeida Pinto
- RE: [ActiveDir] dsquery computer -inactive vs ... rmcdonald
- RE: [ActiveDir] dsquery computer -inactive vs ... Rich Milburn
- RE: [ActiveDir] dsquery computer -inactive vs ... Jorge de Almeida Pinto
- Rich Milburn
