|
|
|||||||
I'm looking to create a script that works similar to MSKB Q197478 that will work on an Active Directory domain. What I'd ultimately like to do is generate a report for computer accounts that haven't renegotiated a secure channel password in the last two months. Help? |
||||||||
|
|
|||||||
You can find a Perl utility ( MachAcctPWage.exe) on my web site that does this. I have not yet ported it to KiXtart. |
||||||||
|
|
|||||||
the link on your page isn't working... but I could wait for the kix script... If I had to |
||||||||
|
|
|||||||
My guess is that you are behind a corporate firewall that is prohibiting the DL of an EXE. I have renamed the file and I can now DL it where before I had an error too. I will rework the site so that IE and other protective measures will no longer interfere. [ 03 May 2002, 00:34: Message edited by: Howard Bullock ] |
||||||||
|
|
|||||||
yep... that was it. Thanks |
||||||||
|
|
|||||||
Let me know want you think. I will always entertain adding suggested functionality. |
||||||||
|
|
|||||||
It seemed to work great and the data seems accurate?!?! I was having a hell-o-a time creating the Kix or VBS equivalent. Is the pl source open/available? |
||||||||
|
|
|||||||
The source is now posted. |
||||||||
|
|
|||||||
The problem that I think I'm having is that, from my understanding, in an AD domain password counters are stored locally on each domain controller. In a NT domain, that role was always done just by the PDC. The perl script goes to the PDC emulator to obtain the information in my domain but for valid computers in other sites, the information seems old. (?) |
||||||||
|
|
|||||||
When an account PW is updated on an AD DC (not the PDC emulator), it should be immediately replicated to the PDC emulator. The rest of the DCs are brought up to date during normal replication cycles. I can build a version of the program that would let you specify a particular computer for which to check the PW age of computer accounts. How are you determining that the data from the PDC emulator is not correct or not in synch with that of the other DCs? Have you verified that there are not replication issues? |
||||||||
|
|
|||||||
I have just compared the output of a domain PDC emulator and another DC of a domain with 2,806 computers accounts. This is the result: Of 2,806 accounts only 15 accounts showed a difference in PW age. 14 of those accounts showed they were one day older on the PDC. 1 account showed that it was just restset (PDC emulator=0) and the DC showed 30 days. code:Comparing: C:\Data\Scripts\MACHACCTPWAGE.PL.log (PDC) |
||||||||
|
|
|||||||
The PW should be replicated but the pwdLastSet attribute, I think, is not. This acts similar to obtaining a user's LastLogin and LastLogoff via WinNT: provider in ADSI. I have five sites. Most machines (about 775 total) that are in the site where the PDC emulator is located at look (?) accurate. There are five servers at two of the other sites that I installed that return the number of days since I added those servers to domain originally, four months ago. I've just ran dcdiag, ntfrsutl, and repadmin tests on each of the eleven DCs. All tests were good. |
||||||||
|
|
|||||||
Let's take this off the board. email me hbullock@tycoelectronics.com [ 03 May 2002, 22:32: Message edited by: Howard Bullock ] |
||||||||
|
|
|||||||
On its way. [ 03 May 2002, 22:46: Message edited by: SoupBoy ] |
||||||||
|
|
|||||||
My organization has five sites with eleven DCs. I ran some independent tests with Howard and his code is solid. Machine account password age information didn't seem valid for some machines because they aren't changing passwords for many reasons: RAS Workstations VPN Workstations Wireless Workstations VLAN Changes Site Changes Thank you Howard! |