thepip3r
(Hey THIS is FUN)
2005-05-25 08:48 PM
Active Directory Query Question

Is there an Active Directory query function that will return "lastlogon" of all objects where you can specify a time constraint? i.e. Query for all comptuers in the domain that haven't logged on in over 45 days??

Howard Bullock
(KiX Supporter)
2005-05-25 09:34 PM
Re: Active Directory Query Question

Try looking at my MachAcctPWage.exe from http://home.comcast.net/~habullock/Perlutilities.htm

You can also code this yourself in KiXtart if you desire. Let us know what you want to do.

thepip3r
(Hey THIS is FUN)
2005-05-25 11:26 PM
Re: Active Directory Query Question

in the perl script aren't you just converting the time to seconds? doesn't the value have to be in nanoseconds?

Code:
	my $password_age = ${$user}{'password_age'}/60/60/24;
	$password_age =~ s/\..*$//;

thepip3r
(Hey THIS is FUN)
2005-05-25 11:31 PM
Re: Active Directory Query Question

also, can you tell me why this:

Code:
$nanoDays		= 1000000000 * 60


outputs: -129542144 ????

Chris S.
(MM club member)
2005-05-25 11:45 PM
Re: Active Directory Query Question

I converted Howard's script a long time ago. It is in the UDF library as CompAcctPswdAge().

Chris S.
(MM club member)
2005-05-25 11:50 PM
Re: Active Directory Query Question

In fact, I have a GUI version of it here.

thepip3r
(Hey THIS is FUN)
2005-05-26 01:00 AM
Re: Active Directory Query Question

That function doesn't handle specifying different OUs in active directory though. I need a function that will allow me to do that...

Les
(KiX Master)
2005-05-26 01:34 AM
Re: Active Directory Query Question

So, just use the LDAP provider instead of WinNT.

Chris S.
(MM club member)
2005-05-26 05:19 PM
Re: Active Directory Query Question

Here is an example of a query using fnLDAPQuery(). This also requires Bryce's ADD() and FlipcTime() UDF's.

Code:

Break On
 
Call "fnADD.kix"
Call "fnFlipcTime.kix"
Call "fnLDAPQuery.kix"
 
$Date = "2005/1/22"
$Time = "00:00:00"
 
$sDate=""+FlipcTime($Date,$Time,-4)
$sDate=Add('11644473600',$sDate)+"0000000"
 
$sWhat = "Name","ADsPath"
 
;$sFrom = "LDAP://"+GetObject("LDAP://rootDSE").Get("defaultNamingContext")
$sFrom = "LDAP://OU=Remote,OU=Accounts,DC=your,DC=domain,DC=com"
 
; Search for users who are not disabled and w/o the "NoExpirey" flag set and have not changed their pwd by a certain date.
$sFilter = "(&(objectCategory=person)(objectClass=user)(pwdLastSet<="+$sDate+")"+
            "(!userAccountControl:1.2.840.113556.1.4.803:=2)"+
            "(!userAccountControl:1.2.840.113556.1.4.803:=65536))"
            
$sScope = "subtree"
 
$aResults = fnLDAPQuery($sWhat,$sFrom,$sFilter,"Name",$sScope)
@ERROR " : " @SERROR ?
 
For Each $Result in $aResults
    If VarType($Result)>8192
        For Each $R in $Result
            $R ?
        Next
    Else
        $Result ?
    EndIf
Next
 
? UBound($aResults) ?
 
Get $

thepip3r
(Hey THIS is FUN)
2005-05-26 05:21 PM
Re: Active Directory Query Question

Ok, I'm using fnADQuery() and have gotten to function to work using this:

Code:
$aWhat		= "Name", "ADSPath"
$sFrom		= "LDAP://OU=IT,DC=microsoft,DC=com"
$sWhere		= "objectClass = 'Computer' AND Name = 'C*'"
$sOrderBy		= "Order By Name"

$aResults		= fnADQuery($aWhat,$sFrom,$sWhere,$sOrderBy)
@ERROR " | " @SERROR ?

$numResults 	= ubound($aResults)
? $numResults

For Each $Result in $aResults
	If VarType($Result)>8192
		For Each $R in $Result
			$R ?
		Next
	Else
		$Result ?
	Endif
Next

Sleep 5


Now the UDF states that to query for an extra attribute, all you have to do is add it to the $WHAT variable. I tried adding "lastlogontimestamp" but it returned an error. The exmaple value "Name" pulls up the computer name and the other example value "ADSPath" brings up the distinguished name. Is there a listing somewhere I can look at to know what word will give me lastlogontimestamp???

Kdyer
(KiX Supporter)
2005-05-26 05:45 PM
Re: Active Directory Query Question

How about http://msdn.microsoft.com ?

Kent

thepip3r
(Hey THIS is FUN)
2005-05-26 06:04 PM
Re: Active Directory Query Question

But what am I looking for on MSDN? ADODB Names for AD Objects or what?

Chris S.
(MM club member)
2005-05-26 06:38 PM
Re: Active Directory Query Question

Here is a link for the LDAP names for All Attributes.

http://msdn.microsoft.com/library/en-us/adschema/adschema/attributes_all.asp

thepip3r
(Hey THIS is FUN)
2005-05-26 06:45 PM
Re: Active Directory Query Question

Thanx Chris. I appreciate the link.

Chris S.
(MM club member)
2005-05-26 06:52 PM
Re: Active Directory Query Question

Go back to my example and change pwdLastSet to lastLogon and adjust the date variable to 45 days ago.

Chris S.
(MM club member)
2005-05-26 06:53 PM
Re: Active Directory Query Question

Oh, yeah. And use fnLDAPQuery(), it is more powerful.

Chris S.
(MM club member)
2005-05-26 07:01 PM
Re: Active Directory Query Question

But...here is the kicker. Computers don't logon to the network, users do. You have to use the pwdLastSet property. Here is a better example for computer accounts...

Code:

Break On
 
Call "fnADD.kix"
Call "fnFlipcTime.kix"
Call "fnLDAPQuery.kix"
 
$Date = "2005/4/11"
$Time = "00:00:00"
 
$sDate=""+FlipcTime($Date,$Time,-4)
$sDate=Add('11644473600',$sDate)+"0000000"
 
$sWhat = "Name","ADsPath"
 
$sFrom = "LDAP://"+GetObject("LDAP://rootDSE").Get("defaultNamingContext")
 
$sFilter = "(&(objectClass=computer)(pwdLastSet<="+$sDate+"))"
             
$sScope = "subtree"
 
$aResults = fnLDAPQuery($sWhat,$sFrom,$sFilter,"Name",$sScope)
@ERROR " : " @SERROR ?
 
For Each $Result in $aResults
    If VarType($Result)>8192
        For Each $R in $Result
            $R ?
        Next
    Else
        $Result ?
    EndIf
Next
 
? UBound($aResults) ?
 
Get $

Howard Bullock
(KiX Supporter)
2005-05-26 07:50 PM
Re: Active Directory Query Question

Be very cautious in using lastlogon. This value is unique on each domain controller. It is not replicated. You will have have to check every DC then find the highest value to get the true lastlogon value.

See this link near the bottom for confirmation of my statement.

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adschema/adschema/a_lastlogon.asp

thepip3r
(Hey THIS is FUN)
2005-05-26 08:29 PM
Re: Active Directory Query Question

Yes but that's why I wanted to use lastlogontimestamp because it is replicated across the DCs so it doesn't matter which one you query...

Chris S.
(MM club member)
2005-05-26 08:31 PM
Re: Active Directory Query Question

Yes, I know this and agree, using pwdLastSet is a much more reliable indication of an orphaned account.

Chris S.
(MM club member)
2005-05-26 08:33 PM
Re: Active Directory Query Question

Again, Computer accounts do not logon so this property is unavailable for computers.

thepip3r
(Hey THIS is FUN)
2005-05-26 08:44 PM
Re: Active Directory Query Question

Are you sure Chris because I wrote an AD query tool using PHP and I can query for cn=%computername% and it returns a lastlogontimestamp....

Query for a computer account:
Code:

            [lastlogontimestamp] => Array
                (
                    [count] => 1
                    [0] => 127608227380157206
                )

            [35] => lastlogontimestamp

Chris S.
(MM club member)
2005-05-26 09:47 PM
Re: Active Directory Query Question

I was able to return information using lastLogonTimestamp, however it returned 50% of the results that using pwdLastSet did.

thepip3r
(Hey THIS is FUN)
2005-05-26 10:16 PM
Re: Active Directory Query Question

Ok... thanx again Chris.