SoupBoy
(Fresh Scripter)
2002-05-02 06:41 PM
Report Inactive Domain Computer Accounts

I'm looking to create a script that works similar to MSKB Q197478 that will work on an Active Directory domain. What I'd ultimately like to do is generate a report for computer accounts that haven't renegotiated a secure channel password in the last two months.

Help?


Howard Bullock
(KiX Supporter)
2002-05-02 08:31 PM
Re: Report Inactive Domain Computer Accounts

You can find a Perl utility ( MachAcctPWage.exe) on my web site that does this. I have not yet ported it to KiXtart.

Radimus
(KiX Supporter)
2002-05-02 08:58 PM
Re: Report Inactive Domain Computer Accounts

the link on your page isn't working... but I could wait for the kix script... If I had to [Smile]

Howard Bullock
(KiX Supporter)
2002-05-02 09:03 PM
Re: Report Inactive Domain Computer Accounts

My guess is that you are behind a corporate firewall that is prohibiting the DL of an EXE. I have renamed the file and I can now DL it where before I had an error too.

I will rework the site so that IE and other protective measures will no longer interfere.

[ 03 May 2002, 00:34: Message edited by: Howard Bullock ]


Radimus
(KiX Supporter)
2002-05-02 09:06 PM
Re: Report Inactive Domain Computer Accounts

yep... that was it. Thanks

Howard Bullock
(KiX Supporter)
2002-05-02 09:13 PM
Re: Report Inactive Domain Computer Accounts

Let me know want you think. I will always entertain adding suggested functionality.

SoupBoy
(Fresh Scripter)
2002-05-03 04:05 PM
Re: Report Inactive Domain Computer Accounts

It seemed to work great and the data seems accurate?!?! I was having a hell-o-a time creating the Kix or VBS equivalent. Is the pl source open/available?

Howard Bullock
(KiX Supporter)
2002-05-03 05:42 PM
Re: Report Inactive Domain Computer Accounts

The source is now posted.

SoupBoy
(Fresh Scripter)
2002-05-03 08:40 PM
Re: Report Inactive Domain Computer Accounts

The problem that I think I'm having is that, from my understanding, in an AD domain password counters are stored locally on each domain controller. In a NT domain, that role was always done just by the PDC. The perl script goes to the PDC emulator to obtain the information in my domain but for valid computers in other sites, the information seems old. (?)

Howard Bullock
(KiX Supporter)
2002-05-03 09:07 PM
Re: Report Inactive Domain Computer Accounts

When an account PW is updated on an AD DC (not the PDC emulator), it should be immediately replicated to the PDC emulator. The rest of the DCs are brought up to date during normal replication cycles.

I can build a version of the program that would let you specify a particular computer for which to check the PW age of computer accounts.

How are you determining that the data from the PDC emulator is not correct or not in synch with that of the other DCs? Have you verified that there are not replication issues?


Howard Bullock
(KiX Supporter)
2002-05-03 09:40 PM
Re: Report Inactive Domain Computer Accounts

I have just compared the output of a domain PDC emulator and another DC of a domain with 2,806 computers accounts.

This is the result:

Of 2,806 accounts only 15 accounts showed a difference in PW age. 14 of those accounts showed they were one day older on the PDC. 1 account showed that it was just restset (PDC emulator=0) and the DC showed 30 days.

code:
Comparing: C:\Data\Scripts\MACHACCTPWAGE.PL.log (PDC)
To: C:\Data\Scripts\MACHACCTPWAGE2.PL.log
====
====
253 <! TRIPLE-JUMP 14 PDC
!> TRIPLE-JUMP 13 DC
569 <! URANILM 22
!> URANILM 21
1465 <! LABELVF4A 17
!> LABELVF4A 16
1536 <! WOODYARDJM 77
!> WOODYARDJM 76
1607 <! MAHERAR 27
!> MAHERAR 26
1636 <! RUSHT2 205
!> RUSHT2 204
1667 <! FRONTFISCHER6 197
!> FRONTFISCHER6 196
1726 <! AGEERL 26
!> AGEERL 25
1964 <! VSOXP1 115
!> VSOXP1 114
2045 <! OLIVERTW 7
!> OLIVERTW 6
2368 <! MILLERKL1 23
!> MILLERKL1 22
2498 <! CENTROC1 36
!> CENTROC1 35
2526 <! HABICHMJ1 23
!> HABICHMJ1 22
2561 <! STUMH 7
!> STUMH 6
2716 <! TALLONTJ-W2K 0
!> TALLONTJ-W2K 30



SoupBoy
(Fresh Scripter)
2002-05-03 10:21 PM
Re: Report Inactive Domain Computer Accounts

The PW should be replicated but the pwdLastSet attribute, I think, is not. This acts similar to obtaining a user's LastLogin and LastLogoff via WinNT: provider in ADSI.

I have five sites. Most machines (about 775 total) that are in the site where the PDC emulator is located at look (?) accurate. There are five servers at two of the other sites that I installed that return the number of days since I added those servers to domain originally, four months ago.

I've just ran dcdiag, ntfrsutl, and repadmin tests on each of the eleven DCs. All tests were good.


Howard Bullock
(KiX Supporter)
2002-05-03 10:27 PM
Re: Report Inactive Domain Computer Accounts

Let's take this off the board. email me hbullock@tycoelectronics.com

[ 03 May 2002, 22:32: Message edited by: Howard Bullock ]


SoupBoy
(Fresh Scripter)
2002-05-03 10:45 PM
Re: Report Inactive Domain Computer Accounts

On its way.

[ 03 May 2002, 22:46: Message edited by: SoupBoy ]


SoupBoy
(Fresh Scripter)
2002-05-06 03:23 PM
Re: Report Inactive Domain Computer Accounts

My organization has five sites with eleven DCs. I ran some independent tests with Howard and his code is solid. Machine account password age information didn't seem valid for some machines because they aren't changing passwords for many reasons:
RAS Workstations
VPN Workstations
Wireless Workstations
VLAN Changes
Site Changes

Thank you Howard!