[NTSysADM] RE: New script: Microsoft Active Directory Health Check PowerShell Script V2.0

[Melvin Backus]

When I was a kid we played with a stick with a propeller on the end. You spin 
it between your hands and it flys like a helicopter.  Now kids play with remote 
control drones that fly like helicopters.  Same result, except that now the toy 
does all the work and the kid gets no exercise. :(

OK, yes, I am that old. :)

--
There are 10 kinds of people in the world...
         those who understand binary and those who don't.

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Kennedy, Jim
Sent: Thursday, May 12, 2016 8:15 AM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] RE: New script: Microsoft Active Directory Health Check 
PowerShell Script V2.0

You kids with your newfangled toys.  :)

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Michael B. Smith
Sent: Wednesday, May 11, 2016 5:10 PM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: [NTSysADM] RE: New script: Microsoft Active Directory Health Check 
PowerShell Script V2.0

Pre-PowerShell. :)

This comment is the most important: At the end of the day, you need to know 
what is right for your environment, understand what the attributes mean, how 
they behave etc. and develop the process to manage them accordingly.

Completely agree with you.


From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Free Jr., Bob
Sent: Wednesday, May 11, 2016 4:55 PM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: [NTSysADM] RE: New script: Microsoft Active Directory Health Check 
PowerShell Script V2.0

Oldcmp is awesome (I helped joe with the initial testing cycle and even got my 
name in the credits <G>)

We use it as part of our process to delete thousands of computers a year. That 
said...

Keep in mind that pwdset isn't a panacea. Computer password changes are 
initiated by the client. [1]

There is a GPO that can disable that behavior so they are never reset.

A critical computer that has been off the network for quite some time can be 
booted up and authenticate.

Yada Yada Yada

At the end of the day, you need to know what is right for your environment, 
understand what the attributes mean, how they behave etc. and develop the 
process to manage them accordingly.

Asset management should be based on more than just attributes in AD but you can 
certainly infer a lot from them. Maybe everything in your environment, I can't 
say for sure.

[1] Machine account passwords as such do not expire in Active Directory. They 
are exempted from the domain's password policy. It is important to remember 
that machine account password changes are driven by the CLIENT (computer), and 
not the AD. As long as no one has disabled or deleted the computer account, nor 
tried to add a computer with the same name to the domain, (or some other 
destructive action), the computer will continue to work no matter how long it 
has been since its machine account password was initiated and changed.

So if a computer is turned off for three months nothing expires. When the 
computer starts up, it will notice that its password is older than 30 days and 
will initiate action to change it. The Netlogon service on the client computer 
is responsible for doing this. This is only applicable if the machine is turned 
off for such a long time.

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Kennedy, Jim
Sent: Tuesday, May 10, 2016 6:30 AM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: [NTSysADM] RE: New script: Microsoft Active Directory Health Check 
PowerShell Script V2.0

Sorry, just saw this.

Oldcmp from Joeware might help you. Just schedule task it up with the right 
parameters. And as mentioned, password last set is what is uses as it is the 
only reliable method.  So you have to adjust your disable period to account for 
that.

http://www.joeware.net/freetools/tools/oldcmp/<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.joeware.net_freetools_tools_oldcmp_&d=CwMFAg&c=hLS_V_MyRCwXDjNCFvC1XhVzdhW2dOtrP9xQj43rEYI&r=TA_mjBT8bS0r8rLrnubGjA&m=YyjivSHSCFAcOOtThQ30Aj3Z9jBitc-NMWxJmechd_Q&s=NrG_DBkDN5K80smTmrWIiwoHj3xE0xxwxgICOenKPyU&e=>


From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of David McSpadden
Sent: Monday, May 9, 2016 8:15 AM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: [NTSysADM] RE: New script: Microsoft Active Directory Health Check 
PowerShell Script V2.0

Are computers something that will be considered later or in another script?
We constantly have stale computer records because my admins are afraid to 
delete anything from AD.
We find computer accounts in buried OU's that have been stale for 120 days 
sometimes.
A report of those month would clean out AD and all the applications that rely 
on AD information for their own reporting and management.
Right now I use TrendMicro Management interface (Because it has realtime 
results) and reconcile with AD when I can.
A report would make it so I could give the work away.
So what I am asking is a list of computers by OU and last seen or login date?
Not sure if it AD Health or what but it is needed I think.

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Webster
Sent: Monday, May 9, 2016 6:14 AM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: [NTSysADM] New script: Microsoft Active Directory Health Check 
PowerShell Script V2.0

After a lot of work by Michael B. Smith, a group of dedicated testers and 
myself, we have taken Jeff Wouters' original script to V2.0.

http://carlwebster.com/microsoft-active-directory-health-check-powershell-script-v2-0/<https://urldefense.proofpoint.com/v2/url?u=http-3A__carlwebster.com_microsoft-2Dactive-2Ddirectory-2Dhealth-2Dcheck-2Dpowershell-2Dscript-2Dv2-2D0_&d=CwMFAg&c=hLS_V_MyRCwXDjNCFvC1XhVzdhW2dOtrP9xQj43rEYI&r=TA_mjBT8bS0r8rLrnubGjA&m=YyjivSHSCFAcOOtThQ30Aj3Z9jBitc-NMWxJmechd_Q&s=1etaGEbz1iqCYSP6GRh9fkHcDsGNxe86XClcCChwTuA&e=>

Thanks


Carl Webster
Citrix Technology Professional
http://www.CarlWebster.com<https://urldefense.proofpoint.com/v2/url?u=http-3A__t.sidekickopen01.com_e1t_c_5_f18dQhb0S7lC8dDMPbW2n0x6l2B9nMJN7t5XYgdV8QRW2zWLDn4XrdjzW7fK3rs56dwxZf67wwsR02-3Ft-3Dhttp-253A-252F-252Fwww.carlwebster.com-252F-26si-3D6012126861197312-26pi-3D4311b7b1-2D332d-2D4242-2D8585-2D36954b184dc7&d=CwMFAg&c=hLS_V_MyRCwXDjNCFvC1XhVzdhW2dOtrP9xQj43rEYI&r=TA_mjBT8bS0r8rLrnubGjA&m=YyjivSHSCFAcOOtThQ30Aj3Z9jBitc-NMWxJmechd_Q&s=CLbBig-FPcFXcfvQF1_qgqsPxsq8o3mGoo6z_w7jJoA&e=>
The Accidental Citrix Admin


This e-mail and any files transmitted with it are property of Indiana Members 
Credit Union, are confidential, and are intended solely for the use of the 
individual or entity to whom this e-mail is addressed. If you are not one of 
the named recipient(s) or otherwise have reason to believe that you have 
received this message in error, please notify the sender and delete this 
message immediately from your computer. Any other use, retention, 
dissemination, forwarding, printing, or copying of this email is strictly 
prohibited.


Please consider the environment before printing this email.