Page 1 of 1 1
Topic Options
#85582 - 2002-05-02 06:41 PM Report Inactive Domain Computer Accounts
SoupBoy Offline
Fresh Scripter

Registered: 2002-05-02
Posts: 7
Loc: Wisconsin
I'm looking to create a script that works similar to MSKB Q197478 that will work on an Active Directory domain. What I'd ultimately like to do is generate a report for computer accounts that haven't renegotiated a secure channel password in the last two months.

Help?

Top
#85583 - 2002-05-02 08:31 PM Re: Report Inactive Domain Computer Accounts
Howard Bullock Offline
KiX Supporter
*****

Registered: 2000-09-15
Posts: 5809
Loc: Harrisburg, PA USA
You can find a Perl utility ( MachAcctPWage.exe) on my web site that does this. I have not yet ported it to KiXtart.
_________________________
Home page: http://www.kixhelp.com/hb/

Top
#85584 - 2002-05-02 08:58 PM Re: Report Inactive Domain Computer Accounts
Radimus Moderator Offline
Moderator
*****

Registered: 2000-01-06
Posts: 5187
Loc: Tampa, FL
the link on your page isn't working... but I could wait for the kix script... If I had to [Smile]
_________________________
How to ask questions the smart way <-----------> Before you ask

Top
#85585 - 2002-05-02 09:03 PM Re: Report Inactive Domain Computer Accounts
Howard Bullock Offline
KiX Supporter
*****

Registered: 2000-09-15
Posts: 5809
Loc: Harrisburg, PA USA
My guess is that you are behind a corporate firewall that is prohibiting the DL of an EXE. I have renamed the file and I can now DL it where before I had an error too.

I will rework the site so that IE and other protective measures will no longer interfere.

[ 03 May 2002, 00:34: Message edited by: Howard Bullock ]
_________________________
Home page: http://www.kixhelp.com/hb/

Top
#85586 - 2002-05-02 09:06 PM Re: Report Inactive Domain Computer Accounts
Radimus Moderator Offline
Moderator
*****

Registered: 2000-01-06
Posts: 5187
Loc: Tampa, FL
yep... that was it. Thanks
_________________________
How to ask questions the smart way <-----------> Before you ask

Top
#85587 - 2002-05-02 09:13 PM Re: Report Inactive Domain Computer Accounts
Howard Bullock Offline
KiX Supporter
*****

Registered: 2000-09-15
Posts: 5809
Loc: Harrisburg, PA USA
Let me know want you think. I will always entertain adding suggested functionality.
_________________________
Home page: http://www.kixhelp.com/hb/

Top
#85588 - 2002-05-03 04:05 PM Re: Report Inactive Domain Computer Accounts
SoupBoy Offline
Fresh Scripter

Registered: 2002-05-02
Posts: 7
Loc: Wisconsin
It seemed to work great and the data seems accurate?!?! I was having a hell-o-a time creating the Kix or VBS equivalent. Is the pl source open/available?
Top
#85589 - 2002-05-03 05:42 PM Re: Report Inactive Domain Computer Accounts
Howard Bullock Offline
KiX Supporter
*****

Registered: 2000-09-15
Posts: 5809
Loc: Harrisburg, PA USA
The source is now posted.
_________________________
Home page: http://www.kixhelp.com/hb/

Top
#85590 - 2002-05-03 08:40 PM Re: Report Inactive Domain Computer Accounts
SoupBoy Offline
Fresh Scripter

Registered: 2002-05-02
Posts: 7
Loc: Wisconsin
The problem that I think I'm having is that, from my understanding, in an AD domain password counters are stored locally on each domain controller. In a NT domain, that role was always done just by the PDC. The perl script goes to the PDC emulator to obtain the information in my domain but for valid computers in other sites, the information seems old. (?)
Top
#85591 - 2002-05-03 09:07 PM Re: Report Inactive Domain Computer Accounts
Howard Bullock Offline
KiX Supporter
*****

Registered: 2000-09-15
Posts: 5809
Loc: Harrisburg, PA USA
When an account PW is updated on an AD DC (not the PDC emulator), it should be immediately replicated to the PDC emulator. The rest of the DCs are brought up to date during normal replication cycles.

I can build a version of the program that would let you specify a particular computer for which to check the PW age of computer accounts.

How are you determining that the data from the PDC emulator is not correct or not in synch with that of the other DCs? Have you verified that there are not replication issues?
_________________________
Home page: http://www.kixhelp.com/hb/

Top
#85592 - 2002-05-03 09:40 PM Re: Report Inactive Domain Computer Accounts
Howard Bullock Offline
KiX Supporter
*****

Registered: 2000-09-15
Posts: 5809
Loc: Harrisburg, PA USA
I have just compared the output of a domain PDC emulator and another DC of a domain with 2,806 computers accounts.

This is the result:

Of 2,806 accounts only 15 accounts showed a difference in PW age. 14 of those accounts showed they were one day older on the PDC. 1 account showed that it was just restset (PDC emulator=0) and the DC showed 30 days.

code:
Comparing: C:\Data\Scripts\MACHACCTPWAGE.PL.log (PDC)
To: C:\Data\Scripts\MACHACCTPWAGE2.PL.log
====
====
253 <! TRIPLE-JUMP 14 PDC
!> TRIPLE-JUMP 13 DC
569 <! URANILM 22
!> URANILM 21
1465 <! LABELVF4A 17
!> LABELVF4A 16
1536 <! WOODYARDJM 77
!> WOODYARDJM 76
1607 <! MAHERAR 27
!> MAHERAR 26
1636 <! RUSHT2 205
!> RUSHT2 204
1667 <! FRONTFISCHER6 197
!> FRONTFISCHER6 196
1726 <! AGEERL 26
!> AGEERL 25
1964 <! VSOXP1 115
!> VSOXP1 114
2045 <! OLIVERTW 7
!> OLIVERTW 6
2368 <! MILLERKL1 23
!> MILLERKL1 22
2498 <! CENTROC1 36
!> CENTROC1 35
2526 <! HABICHMJ1 23
!> HABICHMJ1 22
2561 <! STUMH 7
!> STUMH 6
2716 <! TALLONTJ-W2K 0
!> TALLONTJ-W2K 30

_________________________
Home page: http://www.kixhelp.com/hb/

Top
#85593 - 2002-05-03 10:21 PM Re: Report Inactive Domain Computer Accounts
SoupBoy Offline
Fresh Scripter

Registered: 2002-05-02
Posts: 7
Loc: Wisconsin
The PW should be replicated but the pwdLastSet attribute, I think, is not. This acts similar to obtaining a user's LastLogin and LastLogoff via WinNT: provider in ADSI.

I have five sites. Most machines (about 775 total) that are in the site where the PDC emulator is located at look (?) accurate. There are five servers at two of the other sites that I installed that return the number of days since I added those servers to domain originally, four months ago.

I've just ran dcdiag, ntfrsutl, and repadmin tests on each of the eleven DCs. All tests were good.

Top
#85594 - 2002-05-03 10:27 PM Re: Report Inactive Domain Computer Accounts
Howard Bullock Offline
KiX Supporter
*****

Registered: 2000-09-15
Posts: 5809
Loc: Harrisburg, PA USA
Let's take this off the board. email me hbullock@tycoelectronics.com

[ 03 May 2002, 22:32: Message edited by: Howard Bullock ]
_________________________
Home page: http://www.kixhelp.com/hb/

Top
#85595 - 2002-05-03 10:45 PM Re: Report Inactive Domain Computer Accounts
SoupBoy Offline
Fresh Scripter

Registered: 2002-05-02
Posts: 7
Loc: Wisconsin
On its way.

[ 03 May 2002, 22:46: Message edited by: SoupBoy ]

Top
#85596 - 2002-05-06 03:23 PM Re: Report Inactive Domain Computer Accounts
SoupBoy Offline
Fresh Scripter

Registered: 2002-05-02
Posts: 7
Loc: Wisconsin
My organization has five sites with eleven DCs. I ran some independent tests with Howard and his code is solid. Machine account password age information didn't seem valid for some machines because they aren't changing passwords for many reasons:
RAS Workstations
VPN Workstations
Wireless Workstations
VLAN Changes
Site Changes

Thank you Howard!

Top
Page 1 of 1 1


Moderator:  Shawn, ShaneEP, Ruud van Velsen, Arend_, Jochen, Radimus, Glenn Barnas, Allen, Mart 
Hop to:
Shout Box

Who's Online
1 registered (Allen) and 466 anonymous users online.
Newest Members
gespanntleuchten, DaveatAdvanced, Paulo_Alves, UsTaaa, xxJJxx
17864 Registered Users

Generated in 0.055 seconds in which 0.023 seconds were spent on a total of 12 queries. Zlib compression enabled.

Search the board with:
superb Board Search
or try with google:
Google
Web kixtart.org