These values AD object values can easily be tracked with SCCM and report on them. AD discovery gather them when enabled.
On Tue, May 10, 2016, 6:07 AM David McSpadden <[email protected]> wrote: > Perfect example from yesterday. > > Here is one that has been sitting quietly just waiting to piss me off. > > > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Michael B. Smith > *Sent:* Monday, May 9, 2016 11:34 AM > *To:* [email protected] > *Subject:* RE: [NTSysADM] RE: New script: Microsoft Active Directory > Health Check PowerShell Script V2.0 > > > > Two ways to do this, one is with pwdLastSet and the other is with > lastLogonTimeStamp. > > > > lastLogonTimeStamp is the “right” answer, in that this is what the > attribute is designed for. However, SAN/NAS devices and other > non-traditional devices present in AD can screw it up. It is worth noting > that lastLogonTimeStamp is only accurate within 9-14 days. > > > > I’ll give it a thought or two. > > > > N.B. lastLogon is the wrong answer. It isn’t synced between DCs. > > > > *From:* [email protected] [ > mailto:[email protected] <[email protected]>] *On > Behalf Of *Charles F Sullivan > *Sent:* Monday, May 9, 2016 9:47 AM > *To:* [email protected] > *Subject:* RE: [NTSysADM] RE: New script: Microsoft Active Directory > Health Check PowerShell Script V2.0 > > > > Do you want results like this? > > > > Name : BENO > > CanonicalName : somedomain.com/comps/winxp/BENO > > LastLogonTimeStamp : 2/4/2015 12:06:46 PM > > > > If so, I use this in different variations, sometime adding in logic for a > particular OS version. I give the machines 90 days to be off the network, > but change the $date variable as you see fit. If you want to include > computer accounts that are disabled as well, remove “-and (Enabled -eq > "true")”. > > > > import-module ActiveDirectory > > > > $date = [DateTime]::Today.AddDays(-90) > > > > get-adcomputer -filter { (LastLogonTimeStamp -ge $date) -and (Enabled -eq > "true") } -property * | Select-Object > Name,CanonicalName,@{n='LastLogonTimeStamp';e={ > [DateTime]::FromFileTime($_.LastLogonTimeStamp) } } | sort-object > -descending -property LastLogonTimeStamp | format-list | out-file > ".\oldcomps.txt" -append > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *David McSpadden > *Sent:* Monday, May 9, 2016 8:09 AM > > > *To:* [email protected] > *Subject:* [NTSysADM] RE: New script: Microsoft Active Directory Health > Check PowerShell Script V2.0 > > > > Are computers something that will be considered later or in another script? > > We constantly have stale computer records because my admins are afraid to > delete anything from AD. > > We find computer accounts in buried OU’s that have been stale for 120 days > sometimes. > > A report of those month would clean out AD and all the applications that > rely on AD information for their own reporting and management. > > Right now I use TrendMicro Management interface (Because it has realtime > results) and reconcile with AD when I can. > > A report would make it so I could give the work away. > > So what I am asking is a list of computers by OU and last seen or login > date? > > Not sure if it AD Health or what but it is needed I think. > > > > *From:* [email protected] [ > mailto:[email protected] <[email protected]>] *On > Behalf Of *Webster > *Sent:* Monday, May 9, 2016 6:14 AM > *To:* [email protected] > *Subject:* [NTSysADM] New script: Microsoft Active Directory Health Check > PowerShell Script V2.0 > > > > After a lot of work by Michael B. Smith, a group of dedicated testers and > myself, we have taken Jeff Wouters’ original script to V2.0. > > > > > http://carlwebster.com/microsoft-active-directory-health-check-powershell-script-v2-0/ > > > > Thanks > > > > > > Carl Webster > > Citrix Technology Professional > > http://www.CarlWebster.com > <http://t.sidekickopen01.com/e1t/c/5/f18dQhb0S7lC8dDMPbW2n0x6l2B9nMJN7t5XYgdV8QRW2zWLDn4XrdjzW7fK3rs56dwxZf67wwsR02?t=http%3A%2F%2Fwww.carlwebster.com%2F&si=6012126861197312&pi=4311b7b1-332d-4242-8585-36954b184dc7> > > The Accidental Citrix Admin > > > > This e-mail and any files transmitted with it are property of Indiana > Members Credit Union, are confidential, and are intended solely for the use > of the individual or entity to whom this e-mail is addressed. If you are > not one of the named recipient(s) or otherwise have reason to believe that > you have received this message in error, please notify the sender and > delete this message immediately from your computer. Any other use, > retention, dissemination, forwarding, printing, or copying of this email is > strictly prohibited. > > > > Please consider the environment before printing this email. > > This e-mail and any files transmitted with it are property of Indiana > Members Credit Union, are confidential, and are intended solely for the use > of the individual or entity to whom this e-mail is addressed. If you are > not one of the named recipient(s) or otherwise have reason to believe that > you have received this message in error, please notify the sender and > delete this message immediately from your computer. Any other use, > retention, dissemination, forwarding, printing, or copying of this email is > strictly prohibited. > > Please consider the environment before printing this email. >
