|
Yeah I have been thinking about that one for a while, I
don't just want to do it, I would want to do it efficiently and with some
measure of a guarantee which is tough, especially in large environments or
environments with WAN sites (for instance, if there is one or more DCs that
you can't contact, how do you make ANY decisions, you don't have all of the
info). You could disable an ID that is absolutely in use, you just didn't talk
to the one DC that it authenticates against. Using lastLogon can be dangerous in
my opinion. lastLogonTimeStamp is also a bit touchy but at least if the DC
connects occasionally the stamps should get updated. I would visualize I would
have to add switches like "allow X DCs to not respond and still do something" or
allow a list of DCs to be specified that if they don't respond it doesn't matter
what they have to say. Of course speed and possibly memory could be impacted.
To be honest, my favorite method is to use pwdLastSet. I
think folks who like to have non-expiring IDs are a bit kookoo.
:o) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Adner Sent: Saturday, November 26, 2005 11:46 AM To: [email protected] Subject: RE: [ActiveDir] OldCmp I scanned through the list of current switches and you
appear to already have everything I was going to ask for.
:)
The only item I wasn't 100% certain on was if it can query
lastLogon. I saw references to pwdLastSet and lastLogonTimeStamp.
The ability to query lastLogon would be nice for environments that aren't 2003
DFL and may not have a good password policy or for whatever reason pwdLastSet
isn't a great solution by itself. I know it's less efficient since it has
to query every DC in a domain, but it's still useful in certain
scenarios.
|
