thepip3r
|
(Hey THIS is FUN)
|
2005-05-25 08:48 PM
|
|
|
|
|
Active Directory Query Question
|
|
Is there an Active Directory query function that will return "lastlogon" of all objects where you can specify a time constraint? i.e. Query for all comptuers in the domain that haven't logged on in over 45 days??
|
|
Re: Active Directory Query Question
|
|
Try looking at my MachAcctPWage.exe from http://home.comcast.net/~habullock/Perlutilities.htm
You can also code this yourself in KiXtart if you desire. Let us know what you want to do.
|
thepip3r
|
(Hey THIS is FUN)
|
2005-05-25 11:26 PM
|
|
|
|
|
Re: Active Directory Query Question
|
|
in the perl script aren't you just converting the time to seconds? doesn't the value have to be in nanoseconds?
Code:
my $password_age = ${$user}{'password_age'}/60/60/24; $password_age =~ s/\..*$//;
|
thepip3r
|
(Hey THIS is FUN)
|
2005-05-25 11:31 PM
|
|
|
|
|
Re: Active Directory Query Question
|
|
also, can you tell me why this:
Code:
$nanoDays = 1000000000 * 60
outputs: -129542144 ????
|
Chris S.
|
(MM club member)
|
2005-05-25 11:45 PM
|
|
|
|
|
Re: Active Directory Query Question
|
|
I converted Howard's script a long time ago. It is in the UDF library as CompAcctPswdAge().
|
Chris S.
|
(MM club member)
|
2005-05-25 11:50 PM
|
|
|
|
|
Re: Active Directory Query Question
|
|
In fact, I have a GUI version of it here.
|
thepip3r
|
(Hey THIS is FUN)
|
2005-05-26 01:00 AM
|
|
|
|
|
Re: Active Directory Query Question
|
|
That function doesn't handle specifying different OUs in active directory though. I need a function that will allow me to do that...
|
Les
|
(KiX Master)
|
2005-05-26 01:34 AM
|
|
|
|
|
Re: Active Directory Query Question
|
|
So, just use the LDAP provider instead of WinNT.
|
Chris S.
|
(MM club member)
|
2005-05-26 05:19 PM
|
|
|
|
|
Re: Active Directory Query Question
|
|
Here is an example of a query using fnLDAPQuery(). This also requires Bryce's ADD() and FlipcTime() UDF's.
Code:
Break On Call "fnADD.kix" Call "fnFlipcTime.kix" Call "fnLDAPQuery.kix" $Date = "2005/1/22" $Time = "00:00:00" $sDate=""+FlipcTime($Date,$Time,-4) $sDate=Add('11644473600',$sDate)+"0000000" $sWhat = "Name","ADsPath" ;$sFrom = "LDAP://"+GetObject("LDAP://rootDSE").Get("defaultNamingContext") $sFrom = "LDAP://OU=Remote,OU=Accounts,DC=your,DC=domain,DC=com" ; Search for users who are not disabled and w/o the "NoExpirey" flag set and have not changed their pwd by a certain date. $sFilter = "(&(objectCategory=person)(objectClass=user)(pwdLastSet<="+$sDate+")"+ "(!userAccountControl:1.2.840.113556.1.4.803:=2)"+ "(!userAccountControl:1.2.840.113556.1.4.803:=65536))" $sScope = "subtree" $aResults = fnLDAPQuery($sWhat,$sFrom,$sFilter,"Name",$sScope) @ERROR " : " @SERROR ? For Each $Result in $aResults If VarType($Result)>8192 For Each $R in $Result $R ? Next Else $Result ? EndIf Next ? UBound($aResults) ? Get $
|
thepip3r
|
(Hey THIS is FUN)
|
2005-05-26 05:21 PM
|
|
|
|
|
Re: Active Directory Query Question
|
|
Ok, I'm using fnADQuery() and have gotten to function to work using this:
Code:
$aWhat = "Name", "ADSPath" $sFrom = "LDAP://OU=IT,DC=microsoft,DC=com" $sWhere = "objectClass = 'Computer' AND Name = 'C*'" $sOrderBy = "Order By Name"
$aResults = fnADQuery($aWhat,$sFrom,$sWhere,$sOrderBy) @ERROR " | " @SERROR ?
$numResults = ubound($aResults) ? $numResults
For Each $Result in $aResults If VarType($Result)>8192 For Each $R in $Result $R ? Next Else $Result ? Endif Next
Sleep 5
Now the UDF states that to query for an extra attribute, all you have to do is add it to the $WHAT variable. I tried adding "lastlogontimestamp" but it returned an error. The exmaple value "Name" pulls up the computer name and the other example value "ADSPath" brings up the distinguished name. Is there a listing somewhere I can look at to know what word will give me lastlogontimestamp???
|
Kdyer
|
(KiX Supporter)
|
2005-05-26 05:45 PM
|
|
|
|
|
Re: Active Directory Query Question
|
|
How about http://msdn.microsoft.com ?
Kent
|
thepip3r
|
(Hey THIS is FUN)
|
2005-05-26 06:04 PM
|
|
|
|
|
Re: Active Directory Query Question
|
|
But what am I looking for on MSDN? ADODB Names for AD Objects or what?
|
Chris S.
|
(MM club member)
|
2005-05-26 06:38 PM
|
|
|
|
|
Re: Active Directory Query Question
|
|
Here is a link for the LDAP names for All Attributes.
http://msdn.microsoft.com/library/en-us/adschema/adschema/attributes_all.asp
|
thepip3r
|
(Hey THIS is FUN)
|
2005-05-26 06:45 PM
|
|
|
|
|
Re: Active Directory Query Question
|
|
Thanx Chris. I appreciate the link.
|
Chris S.
|
(MM club member)
|
2005-05-26 06:52 PM
|
|
|
|
|
Re: Active Directory Query Question
|
|
Go back to my example and change pwdLastSet to lastLogon and adjust the date variable to 45 days ago.
|
Chris S.
|
(MM club member)
|
2005-05-26 06:53 PM
|
|
|
|
|
Re: Active Directory Query Question
|
|
Oh, yeah. And use fnLDAPQuery(), it is more powerful.
|
Chris S.
|
(MM club member)
|
2005-05-26 07:01 PM
|
|
|
|
|
Re: Active Directory Query Question
|
|
But...here is the kicker. Computers don't logon to the network, users do. You have to use the pwdLastSet property. Here is a better example for computer accounts...
Code:
Break On Call "fnADD.kix" Call "fnFlipcTime.kix" Call "fnLDAPQuery.kix" $Date = "2005/4/11" $Time = "00:00:00" $sDate=""+FlipcTime($Date,$Time,-4) $sDate=Add('11644473600',$sDate)+"0000000" $sWhat = "Name","ADsPath" $sFrom = "LDAP://"+GetObject("LDAP://rootDSE").Get("defaultNamingContext") $sFilter = "(&(objectClass=computer)(pwdLastSet<="+$sDate+"))" $sScope = "subtree" $aResults = fnLDAPQuery($sWhat,$sFrom,$sFilter,"Name",$sScope) @ERROR " : " @SERROR ? For Each $Result in $aResults If VarType($Result)>8192 For Each $R in $Result $R ? Next Else $Result ? EndIf Next ? UBound($aResults) ? Get $
|
|
Re: Active Directory Query Question
|
|
Be very cautious in using lastlogon. This value is unique on each domain controller. It is not replicated. You will have have to check every DC then find the highest value to get the true lastlogon value.
See this link near the bottom for confirmation of my statement.
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adschema/adschema/a_lastlogon.asp
|
thepip3r
|
(Hey THIS is FUN)
|
2005-05-26 08:29 PM
|
|
|
|
|
Re: Active Directory Query Question
|
|
Yes but that's why I wanted to use lastlogontimestamp because it is replicated across the DCs so it doesn't matter which one you query...
|
Chris S.
|
(MM club member)
|
2005-05-26 08:31 PM
|
|
|
|
|
Re: Active Directory Query Question
|
|
Yes, I know this and agree, using pwdLastSet is a much more reliable indication of an orphaned account.
|
Chris S.
|
(MM club member)
|
2005-05-26 08:33 PM
|
|
|
|
|
Re: Active Directory Query Question
|
|
Again, Computer accounts do not logon so this property is unavailable for computers.
|
thepip3r
|
(Hey THIS is FUN)
|
2005-05-26 08:44 PM
|
|
|
|
|
Re: Active Directory Query Question
|
|
Are you sure Chris because I wrote an AD query tool using PHP and I can query for cn=%computername% and it returns a lastlogontimestamp....
Query for a computer account: Code:
[lastlogontimestamp] => Array ( [count] => 1 [0] => 127608227380157206 )
[35] => lastlogontimestamp
|
Chris S.
|
(MM club member)
|
2005-05-26 09:47 PM
|
|
|
|
|
Re: Active Directory Query Question
|
|
I was able to return information using lastLogonTimestamp, however it returned 50% of the results that using pwdLastSet did.
|
thepip3r
|
(Hey THIS is FUN)
|
2005-05-26 10:16 PM
|
|
|
|
|
Re: Active Directory Query Question
|
|
Ok... thanx again Chris.
|