Several things 1. Yes computer accounts can be expired (do not confuse with password expiration), in fact, oldcmp will expire accounts for you as well with the -stamp option. You use it with disable though the help is screwed up on it so if you weren't aware, don't worry, my fault. The intent is to mark it so you know when the account was disabled.
ADUC doesn't expose the ability to expire. However it can be done. The computer account will be unavailable when the computer tries to auth as well. You could also just disable the account and get the same effect. 2. Computer account password do not expire. The computers reset them on their own time frame. By default, NT will do it every 7 days. 2K+ will do it every 30 days. However, it isn't required. 3. lastLogonTimeStamp does indeed work on computers, use -llts in oldcmp to use it. 4. lastLogonTimeStamp is updated based on a value setting on the NC head object, specifically the msDS-LogonTimeSyncInterval attribute. The default is not set and I believe that translates, as Al indicated to 7 days, but for some reason I sometimes think 10 days. This can be modified, for instance I have my test lab set to 4 days right now. Replication of that attribute is normal replication, it is the updating of it that is staggered. You don't just want to arbitrarily crank this value down because it could cause considerable replication if you have lots of machines. 5. Definitely disable and possible move to a different location. If you are just starting I would recommend creating a report of all machines over say 180 days old for passwords or lastLogonTimeStamp. Look at the range and if you have stuff way out there like 200+ days slowly start working with those and work your way back to say 90 or so days. Keep the help desk in the loop to let them know this is happening, maybe even supplying them the reports that oldcmp generates. Tell users they need to hook up to the corporate network every 90 or so days at least or risk having to contact the help desk to get their machine readded to the domain. You don't want to be held hostage and be unable to clean up because it could get to be quite a mess. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, March 17, 2005 9:22 AM To: [email protected] Subject: RE: [ActiveDir] Can you expire a computer account in AD I suppose the limitations should be pointed out, so here goes. The reason you wouldn't want just lastlogontimestamp is something that was discussed here a little while back. Basically, it's that as a datapoint, it's not enough information to accurately figure out which objects are not being used. To make it worse, LLTStamp is a replicated and latent attribute. Put another way, it's accuracy is only within 7 days which is the replication schedule for that attribute. Comp accounts are 30 day intervals, but you run the risk of disabling/removing something that is a valid account if you rely on this soley. Using this in conjunction with password last set should reduce the error rate exponentially as it's yet another indicator of activity. Keep in mind that a valid computer account neither has to log on nor change their password on that schedule to be valid. Consider laptops as an example, especially laptops that stay off the network for long periods of time (year at a time?). I can honestly say that I think it's ridiculous to have a corporate resource that stays off the network for extended periods, but they do exist and have to be accounted for in some fashion. I believe that's why the requirement to disable vs. remove entirely came into the picture. Just something to be aware of when using this information. Al -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Singler Sent: Thursday, March 17, 2005 9:01 AM To: [email protected] Subject: Re: [ActiveDir] Can you expire a computer account in AD it is in oldcmp: oldcmp -llts [EMAIL PROTECTED] wrote: > I read this somewhere and had to confirm. Looks like if you're 2003 > domain functional - lastLogonTimestamp works for computers as well. > Unfortunately, it's not exposed in tools like DSGET. Maybe joe will > add this as a switch to oldcmp - as well as user accounts. > > -m > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of P West > Sent: Tuesday, March 15, 2005 3:24 PM > To: [email protected] > Subject: Re: [ActiveDir] Can you expire a computer account in AD > > That's exacctly what i intend to do. Disable those suckers. > > > thanks all > ----- Original Message ----- > From: "Mulnick, Al" <[EMAIL PROTECTED]> > To: <[email protected]> > Sent: Tuesday, March 15, 2005 2:44 PM > Subject: RE: [ActiveDir] Can you expire a computer account in AD > > > >>Because it derives from the User class, I can't think of a reason why > > you > >>couldn't set that value. I'm not sure (and have no way to test at the >>moment) if that value would be valid for what you're doing however. >> >>You could just disable the computer accounts vs. expire them. That's >>available from the GUI if you want to access it that way else it's >>scriptable. >> >>al >> >>-----Original Message----- >>From: [EMAIL PROTECTED] >>[mailto:[EMAIL PROTECTED] On Behalf Of P West >>Sent: Tuesday, March 15, 2005 2:28 PM >>To: [email protected] >>Subject: Re: [ActiveDir] Can you expire a computer account in AD >> >>thanks AL >>thanks Tom >> >> >> >>Ok i used oldcmp. among others and the pwdlastset (oldcmp works great) > > came > >>back feb 2000 even though the password expiration says march 20 2005. >> >>i dont think theres an issue with locating old accounts with > > pwdlastset > the > >>thing is what's up with a password expiration date of march 20 2005 if > > the > >>pwdlastset is feb 2000. this password for pc account should get reset > > every > >>30 days. >> >>The ping was a great idea, we were planning on doing it. But our dns >>records are not so clean so u can ping a pc and get a response but its > > a > >>different pc name when you ping -a ip address. DNS scavenging is > > getting > >>turned on , but i think the issue may still exist. >> >>One last point. Can u or cant you expire a computer account in ad? i > > dont > >>think you can , i tried to google it , next im callin ms to ask ,.but > > wanted > >>to know what u folks opinion on it was. >>----- Original Message ----- >>From: "Mulnick, Al" <[EMAIL PROTECTED]> >>To: <[email protected]> >>Sent: Tuesday, March 15, 2005 2:10 PM >>Subject: RE: [ActiveDir] Can you expire a computer account in AD >> >> >> >>>He beat me to it ;0) >>> >>>You may also want to couple that with a simple ping method to > > validate > if > >>>the machine actually exists or not. Might cross reference it with >> >>DHCP/DNS >> >>>if ping is too much overhead. >>> >>>Just some thoughts. >>> >>>Al >>> >>>-----Original Message----- >>>From: [EMAIL PROTECTED] >>>[mailto:[EMAIL PROTECTED] On Behalf Of Tomasz > > Onyszko > >>>Sent: Tuesday, March 15, 2005 1:55 PM >>>To: [email protected] >>>Subject: Re: [ActiveDir] Can you expire a computer account in AD >>> >>>P West wrote: >>> >>>>We are trying to clean up old AD pc accounts. Have used every > > tool > >>>>under the sun to come up with the pwdlastset to show old accounts. >>>> >>>>example >>>>One pc says the pwdlast set is feb 2000 when our ad guy looks at >>>>password expiration the dates are say march 20 2005. but the >>>>pwdlastset date is feb 2000. >>>> >>>>For some reason the pwdlastset is not updating or at least thats > > what > >>>>im thinking. >>> >>>try to use Joe's oldcmp tool: >>>http://www.joeware.net/win/free/tools/oldcmp.htm >>> >>> >>>-- >>>Tomasz Onyszko [MVP] >>>[EMAIL PROTECTED] >>>http://www.w2k.pl >>>List info : http://www.activedir.org/List.aspx >>>List FAQ : http://www.activedir.org/ListFAQ.aspx >>>List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > >>>List info : http://www.activedir.org/List.aspx >>>List FAQ : http://www.activedir.org/ListFAQ.aspx >>>List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > >>List info : http://www.activedir.org/List.aspx >>List FAQ : http://www.activedir.org/ListFAQ.aspx >>List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > >>List info : http://www.activedir.org/List.aspx >>List FAQ : http://www.activedir.org/ListFAQ.aspx >>List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
