Pre-PowerShell. :) This comment is the most important: At the end of the day, you need to know what is right for your environment, understand what the attributes mean, how they behave etc. and develop the process to manage them accordingly.
Completely agree with you. From: [email protected] [mailto:[email protected]] On Behalf Of Free Jr., Bob Sent: Wednesday, May 11, 2016 4:55 PM To: [email protected] Subject: [NTSysADM] RE: New script: Microsoft Active Directory Health Check PowerShell Script V2.0 Oldcmp is awesome (I helped joe with the initial testing cycle and even got my name in the credits <G>) We use it as part of our process to delete thousands of computers a year. That said... Keep in mind that pwdset isn't a panacea. Computer password changes are initiated by the client. [1] There is a GPO that can disable that behavior so they are never reset. A critical computer that has been off the network for quite some time can be booted up and authenticate. Yada Yada Yada At the end of the day, you need to know what is right for your environment, understand what the attributes mean, how they behave etc. and develop the process to manage them accordingly. Asset management should be based on more than just attributes in AD but you can certainly infer a lot from them. Maybe everything in your environment, I can't say for sure. [1] Machine account passwords as such do not expire in Active Directory. They are exempted from the domain's password policy. It is important to remember that machine account password changes are driven by the CLIENT (computer), and not the AD. As long as no one has disabled or deleted the computer account, nor tried to add a computer with the same name to the domain, (or some other destructive action), the computer will continue to work no matter how long it has been since its machine account password was initiated and changed. So if a computer is turned off for three months nothing expires. When the computer starts up, it will notice that its password is older than 30 days and will initiate action to change it. The Netlogon service on the client computer is responsible for doing this. This is only applicable if the machine is turned off for such a long time. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Kennedy, Jim Sent: Tuesday, May 10, 2016 6:30 AM To: [email protected]<mailto:[email protected]> Subject: [NTSysADM] RE: New script: Microsoft Active Directory Health Check PowerShell Script V2.0 Sorry, just saw this. Oldcmp from Joeware might help you. Just schedule task it up with the right parameters. And as mentioned, password last set is what is uses as it is the only reliable method. So you have to adjust your disable period to account for that. http://www.joeware.net/freetools/tools/oldcmp/<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.joeware.net_freetools_tools_oldcmp_&d=CwMFAg&c=hLS_V_MyRCwXDjNCFvC1XhVzdhW2dOtrP9xQj43rEYI&r=TA_mjBT8bS0r8rLrnubGjA&m=YyjivSHSCFAcOOtThQ30Aj3Z9jBitc-NMWxJmechd_Q&s=NrG_DBkDN5K80smTmrWIiwoHj3xE0xxwxgICOenKPyU&e=> From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of David McSpadden Sent: Monday, May 9, 2016 8:15 AM To: [email protected]<mailto:[email protected]> Subject: [NTSysADM] RE: New script: Microsoft Active Directory Health Check PowerShell Script V2.0 Are computers something that will be considered later or in another script? We constantly have stale computer records because my admins are afraid to delete anything from AD. We find computer accounts in buried OU's that have been stale for 120 days sometimes. A report of those month would clean out AD and all the applications that rely on AD information for their own reporting and management. Right now I use TrendMicro Management interface (Because it has realtime results) and reconcile with AD when I can. A report would make it so I could give the work away. So what I am asking is a list of computers by OU and last seen or login date? Not sure if it AD Health or what but it is needed I think. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Webster Sent: Monday, May 9, 2016 6:14 AM To: [email protected]<mailto:[email protected]> Subject: [NTSysADM] New script: Microsoft Active Directory Health Check PowerShell Script V2.0 After a lot of work by Michael B. Smith, a group of dedicated testers and myself, we have taken Jeff Wouters' original script to V2.0. http://carlwebster.com/microsoft-active-directory-health-check-powershell-script-v2-0/<https://urldefense.proofpoint.com/v2/url?u=http-3A__carlwebster.com_microsoft-2Dactive-2Ddirectory-2Dhealth-2Dcheck-2Dpowershell-2Dscript-2Dv2-2D0_&d=CwMFAg&c=hLS_V_MyRCwXDjNCFvC1XhVzdhW2dOtrP9xQj43rEYI&r=TA_mjBT8bS0r8rLrnubGjA&m=YyjivSHSCFAcOOtThQ30Aj3Z9jBitc-NMWxJmechd_Q&s=1etaGEbz1iqCYSP6GRh9fkHcDsGNxe86XClcCChwTuA&e=> Thanks Carl Webster Citrix Technology Professional http://www.CarlWebster.com<https://urldefense.proofpoint.com/v2/url?u=http-3A__t.sidekickopen01.com_e1t_c_5_f18dQhb0S7lC8dDMPbW2n0x6l2B9nMJN7t5XYgdV8QRW2zWLDn4XrdjzW7fK3rs56dwxZf67wwsR02-3Ft-3Dhttp-253A-252F-252Fwww.carlwebster.com-252F-26si-3D6012126861197312-26pi-3D4311b7b1-2D332d-2D4242-2D8585-2D36954b184dc7&d=CwMFAg&c=hLS_V_MyRCwXDjNCFvC1XhVzdhW2dOtrP9xQj43rEYI&r=TA_mjBT8bS0r8rLrnubGjA&m=YyjivSHSCFAcOOtThQ30Aj3Z9jBitc-NMWxJmechd_Q&s=CLbBig-FPcFXcfvQF1_qgqsPxsq8o3mGoo6z_w7jJoA&e=> The Accidental Citrix Admin This e-mail and any files transmitted with it are property of Indiana Members Credit Union, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please notify the sender and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing, or copying of this email is strictly prohibited. Please consider the environment before printing this email.
