RE: How to generate a report of inactive domain user accounts

From: Chapman, Justin T <JtChapma(at)bhi-erc.com>
Date: Fri Apr 11 2003 - 18:36:14 EDT

If you're inclined to perl at all, you may want to check out some of the Win32 perl modules which are available also. Writing your own script to do this sort of thing can save a considerable amount of money over many commercial products. For more information, look at http://www.activestate.com for perl installs for Win32 and http://www.roth.net which has *the* definitive books on Win32 perl programming (it also happens to be on the *very* cool http://safari.oreilly.com site). The Roth site also has some powerful perl modules for administering Windows networks.

I wrote two scripts a while back to do this very thing. You do have to walk through each domain controller and compare the timestamps, but that is pretty trivial to script. The neat thing about the perl tools is that you get a hash of user information passed back when you make the queries, which contains almost every imaginable setting on the users account. They are then very easy to reference and work with. Perl also includes an easy function to turn the epoch date format in to local time format... :) If anyone is interested, feel free to contact me offline.

Also, check out Microsofts script center page at: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/scriptcen ter

It contains hundreds of scripting examples.

--justin

God is REAL! Unless explicitly declared INTEGER.

-----Original Message-----

From: Benjamin D. Goldman [mailto:bgoldman@kipany.com] Sent: Friday, April 11, 2003 2:14 PM
To: Amarante, Rodrigo P.; Brian E; focus-ms@securityfocus.com Subject: RE: How to generate a report of inactive domain user accounts

as an aside - that int8 format that the time is stored in happens to be the same format that SQL server store a standard datetime field (this is different from the smalldatetime which is a 4byte integer)

if you want to dump the logs into sql server, you might be able to forgoe this 'problem' but alas, I have never tried this.

-----Original Message-----

From: Amarante, Rodrigo P. [mailto:RPAmarante@directvla.com] Sent: Friday, April 11, 2003 5:00 PM
To: Brian E; focus-ms@securityfocus.com
Subject: RE: How to generate a report of inactive domain user accounts

Brian,

Each time a Domain Controller authenticates a user, it records that time (in a funky format) in the lastLogon attribute of that user's object in active directory. The problem is that each domain controller has it's own values for that attribute. So, if joe user got authenticated by Domain Controller A in 04/09/2003 at 10:10AM and next day he gets authenticated by Domain Controller B at 09:00AM. The user's real last logon was 04/10/2003 at 09:00AM, but if you only query Domain Controller A it will show up as being 04/09/2003 at 10:10AM. So in order for you to get an accurate last logon, you must query all Domain Controllers for the domain and then compare the values of the lastLogon attribute. The value is stored as an INTERGER8, so in order for you to get the the high part and the low part to get it to work...

I wrote a tool using the .NET framework that gives you the "real" lastlogon attribute of a given user or of all users in the domain. The only "complicated" thing is to convert the value to an actual human readable time format...
-----Original Message-----

From: Brian E [mailto:brian_anon@hotmail.com] Sent: Friday, April 11, 2003 7:56 AM
To: focus-ms@securityfocus.com

Can anyone provide some suggestions or list of tools available to generate

a report of inactive domain user accounts within an OU?

We're using Active Directory with Windows 2000 and have OU's defined for

different groups of users. I'd like to generate the report by OU.

We also have multiple domain controllers (I've had issues with "last true

logon" in the past). I would like a list of user who have not logged in

within X days (preferably 90 days, but I'd like to modify this threshold).

Criteria for an inactive account:

-Not logged on for X days (X will be provided at time of generating the

report)

-Not disabled

-Password is set to expire

Regard,

Brian

brian_anon@hotmail.com

---

Block Spam, Smut & Viruses
SurfControl E-mail Filter for SMTP & Exchange leverages multiple layers of
technology including filtering embedded and attached file content. Rid your
enterprise of unwanted content.
http://www.securityfocus.com/SurfControl-focus-ms2 Download your free fully functional trial, complete with 30-days of free technical support.

---

---

Block Spam, Smut & Viruses
SurfControl E-mail Filter for SMTP & Exchange leverages multiple layers of
technology including filtering embedded and attached file content. Rid your
enterprise of unwanted content.
http://www.securityfocus.com/SurfControl-focus-ms2 Download your free fully functional trial, complete with 30-days of free technical support.

---

---

Block Spam, Smut & Viruses
SurfControl E-mail Filter for SMTP & Exchange leverages multiple layers of technology including filtering embedded and attached file content. Rid your enterprise of unwanted content.
http://www.securityfocus.com/SurfControl-focus-ms2 Download your free fully functional trial, complete with 30-days of free technical support.

---

---

Block Spam, Smut & Viruses
SurfControl E-mail Filter for SMTP & Exchange leverages multiple layers of technology including filtering embedded and attached file content. Rid your enterprise of unwanted content.
http://www.securityfocus.com/SurfControl-focus-ms2 Download your free fully functional trial, complete with 30-days of free technical support.

---

Received on Fri Apr 11 18:40:51 2003