Clyde,
Can you parse security logs on the DC's for Event ID: 629 Type:
Success Audit
Description: User Account Disabled?
-----Original Message-----
From: Burns, Clyde [mailto:[EMAIL PROTECTED]]
Sent: Thursday, February 20, 2003 10:47 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Determining when a user account was disabled.
Im trying to generate a report of disabled accounts that were disabled X
number of days ago.
Getting a report of which accounts are disabled was fairly straightforward*
but I cannot find anything that will tell me when the account WAS disabled.
I was wondering if anyone could tell me if such information is stored in AD
or how to approximate the date. Right now Im thinking of pulling the last
logon times from the domain controllers to ballpark the amount of time the
accounts could have been disabled but thats a stopgap at best.
Any tips or pointers would be greatly appreciated.
Clyde Burns
* VB6 code to generate report
Set rootDSE = GetObject("LDAP://RootDSE";)
Set Ou = GetObject("LDAP://"; & "CN=Users," & _
rootDSE.Get("defaultNamingContext"))
Ou.Filter = Array("user")
For Each Child In Ou
Debug.Print _
Chr(34) & Child.sAMAccountName & Chr(34) & Chr(44) & _
Chr(34) & Child.DisplayName & Chr(34) & Chr(44) & _
Chr(34) & Child.accountdisabled & Chr(34)
Next
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
