#85582 - 2002-05-02 06:41 PM
Report Inactive Domain Computer Accounts
|
SoupBoy
Fresh Scripter
Registered: 2002-05-02
Posts: 7
Loc: Wisconsin
|
I'm looking to create a script that works similar to MSKB Q197478 that will work on an Active Directory domain. What I'd ultimately like to do is generate a report for computer accounts that haven't renegotiated a secure channel password in the last two months.
Help?
|
Top
|
|
|
|
#85583 - 2002-05-02 08:31 PM
Re: Report Inactive Domain Computer Accounts
|
Howard Bullock
KiX Supporter
Registered: 2000-09-15
Posts: 5809
Loc: Harrisburg, PA USA
|
You can find a Perl utility ( MachAcctPWage.exe) on my web site that does this. I have not yet ported it to KiXtart.
|
Top
|
|
|
|
#85584 - 2002-05-02 08:58 PM
Re: Report Inactive Domain Computer Accounts
|
Radimus
Moderator
Registered: 2000-01-06
Posts: 5187
Loc: Tampa, FL
|
the link on your page isn't working... but I could wait for the kix script... If I had to
|
Top
|
|
|
|
#85585 - 2002-05-02 09:03 PM
Re: Report Inactive Domain Computer Accounts
|
Howard Bullock
KiX Supporter
Registered: 2000-09-15
Posts: 5809
Loc: Harrisburg, PA USA
|
My guess is that you are behind a corporate firewall that is prohibiting the DL of an EXE. I have renamed the file and I can now DL it where before I had an error too.
I will rework the site so that IE and other protective measures will no longer interfere. [ 03 May 2002, 00:34: Message edited by: Howard Bullock ]
|
Top
|
|
|
|
#85586 - 2002-05-02 09:06 PM
Re: Report Inactive Domain Computer Accounts
|
Radimus
Moderator
Registered: 2000-01-06
Posts: 5187
Loc: Tampa, FL
|
yep... that was it. Thanks
|
Top
|
|
|
|
#85587 - 2002-05-02 09:13 PM
Re: Report Inactive Domain Computer Accounts
|
Howard Bullock
KiX Supporter
Registered: 2000-09-15
Posts: 5809
Loc: Harrisburg, PA USA
|
Let me know want you think. I will always entertain adding suggested functionality.
|
Top
|
|
|
|
#85588 - 2002-05-03 04:05 PM
Re: Report Inactive Domain Computer Accounts
|
SoupBoy
Fresh Scripter
Registered: 2002-05-02
Posts: 7
Loc: Wisconsin
|
It seemed to work great and the data seems accurate?!?! I was having a hell-o-a time creating the Kix or VBS equivalent. Is the pl source open/available?
|
Top
|
|
|
|
#85589 - 2002-05-03 05:42 PM
Re: Report Inactive Domain Computer Accounts
|
Howard Bullock
KiX Supporter
Registered: 2000-09-15
Posts: 5809
Loc: Harrisburg, PA USA
|
The source is now posted.
|
Top
|
|
|
|
#85590 - 2002-05-03 08:40 PM
Re: Report Inactive Domain Computer Accounts
|
SoupBoy
Fresh Scripter
Registered: 2002-05-02
Posts: 7
Loc: Wisconsin
|
The problem that I think I'm having is that, from my understanding, in an AD domain password counters are stored locally on each domain controller. In a NT domain, that role was always done just by the PDC. The perl script goes to the PDC emulator to obtain the information in my domain but for valid computers in other sites, the information seems old. (?)
|
Top
|
|
|
|
#85591 - 2002-05-03 09:07 PM
Re: Report Inactive Domain Computer Accounts
|
Howard Bullock
KiX Supporter
Registered: 2000-09-15
Posts: 5809
Loc: Harrisburg, PA USA
|
When an account PW is updated on an AD DC (not the PDC emulator), it should be immediately replicated to the PDC emulator. The rest of the DCs are brought up to date during normal replication cycles.
I can build a version of the program that would let you specify a particular computer for which to check the PW age of computer accounts.
How are you determining that the data from the PDC emulator is not correct or not in synch with that of the other DCs? Have you verified that there are not replication issues?
|
Top
|
|
|
|
#85592 - 2002-05-03 09:40 PM
Re: Report Inactive Domain Computer Accounts
|
Howard Bullock
KiX Supporter
Registered: 2000-09-15
Posts: 5809
Loc: Harrisburg, PA USA
|
I have just compared the output of a domain PDC emulator and another DC of a domain with 2,806 computers accounts.
This is the result:
Of 2,806 accounts only 15 accounts showed a difference in PW age. 14 of those accounts showed they were one day older on the PDC. 1 account showed that it was just restset (PDC emulator=0) and the DC showed 30 days.
code:
Comparing: C:\Data\Scripts\MACHACCTPWAGE.PL.log (PDC) To: C:\Data\Scripts\MACHACCTPWAGE2.PL.log ==== ==== 253 <! TRIPLE-JUMP 14 PDC !> TRIPLE-JUMP 13 DC 569 <! URANILM 22 !> URANILM 21 1465 <! LABELVF4A 17 !> LABELVF4A 16 1536 <! WOODYARDJM 77 !> WOODYARDJM 76 1607 <! MAHERAR 27 !> MAHERAR 26 1636 <! RUSHT2 205 !> RUSHT2 204 1667 <! FRONTFISCHER6 197 !> FRONTFISCHER6 196 1726 <! AGEERL 26 !> AGEERL 25 1964 <! VSOXP1 115 !> VSOXP1 114 2045 <! OLIVERTW 7 !> OLIVERTW 6 2368 <! MILLERKL1 23 !> MILLERKL1 22 2498 <! CENTROC1 36 !> CENTROC1 35 2526 <! HABICHMJ1 23 !> HABICHMJ1 22 2561 <! STUMH 7 !> STUMH 6 2716 <! TALLONTJ-W2K 0 !> TALLONTJ-W2K 30
|
Top
|
|
|
|
#85593 - 2002-05-03 10:21 PM
Re: Report Inactive Domain Computer Accounts
|
SoupBoy
Fresh Scripter
Registered: 2002-05-02
Posts: 7
Loc: Wisconsin
|
The PW should be replicated but the pwdLastSet attribute, I think, is not. This acts similar to obtaining a user's LastLogin and LastLogoff via WinNT: provider in ADSI.
I have five sites. Most machines (about 775 total) that are in the site where the PDC emulator is located at look (?) accurate. There are five servers at two of the other sites that I installed that return the number of days since I added those servers to domain originally, four months ago.
I've just ran dcdiag, ntfrsutl, and repadmin tests on each of the eleven DCs. All tests were good.
|
Top
|
|
|
|
#85594 - 2002-05-03 10:27 PM
Re: Report Inactive Domain Computer Accounts
|
Howard Bullock
KiX Supporter
Registered: 2000-09-15
Posts: 5809
Loc: Harrisburg, PA USA
|
Let's take this off the board. email me hbullock@tycoelectronics.com [ 03 May 2002, 22:32: Message edited by: Howard Bullock ]
|
Top
|
|
|
|
#85595 - 2002-05-03 10:45 PM
Re: Report Inactive Domain Computer Accounts
|
SoupBoy
Fresh Scripter
Registered: 2002-05-02
Posts: 7
Loc: Wisconsin
|
On its way. [ 03 May 2002, 22:46: Message edited by: SoupBoy ]
|
Top
|
|
|
|
#85596 - 2002-05-06 03:23 PM
Re: Report Inactive Domain Computer Accounts
|
SoupBoy
Fresh Scripter
Registered: 2002-05-02
Posts: 7
Loc: Wisconsin
|
My organization has five sites with eleven DCs. I ran some independent tests with Howard and his code is solid. Machine account password age information didn't seem valid for some machines because they aren't changing passwords for many reasons: RAS Workstations VPN Workstations Wireless Workstations VLAN Changes Site Changes
Thank you Howard!
|
Top
|
|
|
|
Moderator: Shawn, ShaneEP, Ruud van Velsen, Arend_, Jochen, Radimus, Glenn Barnas, Allen, Mart
|
0 registered
and 248 anonymous users online.
|
|
|