I'm starting to think that I mucked something up when I was working with Group Policy to get the perms right for the service account.
What we're doing now, is using Netwrix's tool for the reporting. We had purchased Netwrix shortly after putting your script in place, but they didn't want to switch to the Netwrix tool, because your script was doing exactly what they had asked for. But I was able to tweak it yesterday, and put it in place on our IT OU for testing, before expanding to the entire org. From: [email protected] [mailto:[email protected]] On Behalf Of Michael B. Smith Sent: Thursday, May 14, 2015 9:46 AM To: [email protected] Subject: [NTSysADM] RE: MBS' password expiration script AuthUsers should also be fine. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Heaton, Joseph@Wildlife Sent: Thursday, May 14, 2015 12:42 PM To: '[email protected]' Subject: [NTSysADM] RE: MBS' password expiration script Authenticated users is in that group, not Domain Users. I'll have to check Netwrix to see if anyone has recently mucked with that group. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Michael B. Smith Sent: Thursday, May 14, 2015 8:24 AM To: [email protected]<mailto:[email protected]> Subject: [NTSysADM] RE: MBS' password expiration script What do you have in the "Pre-Windows 2000 Compatible Access" group? Has someone been recently messing with it? So I analyzed the required permissions (which is more challenging than you may think, although I may not have done it the most efficient way). If Domain Users is in the above group, then there should be no need for any special permissions. The property sets used are: Personal-Information, General-Information, Account-Restrictions. In an unmodified AD, read access to the first two are available to "Authenticated Users". Account-Restrictions is not. Read access to that property set depends on the membership in the afore-mentioned group, whether Lync is installed, or whether specific permissions have been granted to the property set, or whether using a high-privilege account/group. Granting read privileges to that property set to a specific account is a very low risk operation. I hesitate to say "no risk", just because. And, the only Exchange permission is anonymous email submit, which is present, by default, on the default (frontend) receive connector in Exchange 2007 and above. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Heaton, Joseph@Wildlife Sent: Wednesday, May 13, 2015 10:34 AM To: '[email protected]' Subject: [NTSysADM] RE: MBS' password expiration script That's what I figured later yesterday. Now, I'm having a new problem. Here's what I did: 1) Changed the account on the scheduled task to the normal user 2) Figured out that logon as batch is what was required 3) Successfully ran the scheduled task Now, you'd think I'm golden. But, I'm not. The results from running the task this way is that only my admin accounts, and a few folks from the server team, are getting looked at. However, these accounts are in different OUs. And, our user accounts are in the same OU as about 200ish other people, but I'm not getting those in the report that I get back. >From this point, I changed back to my admin account to run the task. Same >results as above, which really doesn't make any sense. I haven't changed >anything in the script from when it was working, so I'm really confused at >this point as to why it isn't working as it should. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Crawford, Scott Sent: Tuesday, May 12, 2015 2:42 PM To: [email protected]<mailto:[email protected]> Subject: [NTSysADM] RE: MBS' password expiration script I have it running as a scheduled task and the user that the task runs as has the user right - "Logon as a batch job". From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Heaton, Joseph@Wildlife Sent: Tuesday, May 12, 2015 8:56 AM To: '[email protected]' Subject: [NTSysADM] RE: MBS' password expiration script What rights does the normal account need on the server? Logon locally? Logon as a batch? Logon as a service? I'm having issues getting this to run, with the error saying: Logon failure: the user has not been granted the requested logon type at this computer. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Michael B. Smith Sent: Friday, May 01, 2015 8:14 AM To: [email protected]<mailto:[email protected]> Subject: [NTSysADM] RE: MBS' password expiration script Read AD and send email. :) I don't believe that it accesses any "sensitive" attributes. So in a normal AD, a normal account should be able to do it. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Heaton, Joseph@Wildlife Sent: Friday, May 1, 2015 11:05 AM To: NT System Admin Issues Discussion list Subject: [NTSysADM] MBS' password expiration script When I set this up as a scheduled task, what privileges does the account that runs it need? Joe Heaton Enterprise Server Support Information Technology Operations Branch Data and Technology Division CA Department of Fish and Wildlife 1700 9th Street, 3rd Floor Sacramento, CA 95811 Desk: (916) 323-1284
