Thats what I am using right now... :-) but that doesn't take care of scenario, I described.
Let me give an example, UserA created on Day1 with "Change Password on next logon" UserA logs in on Day3 and changes password. UserA forgets the password on Day7 and asks help desk to reset password Help desk resets the password and sets "Change Password on next logon" Now, around this time, before user logs in again, If scheduled script runs, it will pickup this user as never logged on and disable it, as it fulfills both criteria of filter. Now this could be very small number of users, but when you have 500 accounts created daily, even if 25 are affected and help desk can't help them, as help desk don't have rights to enable/disable. User have to go through quite a few hoops to get it enabled again. So Idea was just save those guys unnecessary hassle, if it can be handled at script level. -- Kamlesh On 12/18/06, Brian Desmond <[EMAIL PROTECTED]> wrote:
*If whenCreated > 7 days and pwdLastSet = 0 then they haven't logged in yet…* * * *Thanks,* *Brian Desmond* [EMAIL PROTECTED] * * *c - 312.731.3132* * * *From:* [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] *On Behalf Of *Kamlesh Parmar *Sent:* Monday, December 18, 2006 12:19 PM *To:* ActiveDir@mail.activedir.org *Subject:* [ActiveDir] Automatic user disable based on criteria Hi All, DFL & FFL : Win2k-Native DCs : Win2k3-SP1 User accounts are automatically provisioned as enabled with "Change Password at Next logon". And management wants to disable new accounts which have not logged into domain within next 7 days of creation. And they want it to happen automatically. I have problem at hand as I can't use LastLogonTimeStamp as DFL is not supportive. I can't connect to each DC and search for lastlogon as number of DCs are too large, can't go by "whenchanged", as that is generic attribute, which could get changed for any other attribute also. Any other attribute would help me? Currently LDAP filter checks for account created on specific day (say current day - 7) and whose "Change Password at next logon" is still ticked i.e. pwdlastset=0 But this doesn't take care of scenario, where users are created on that same day (current - 7) and logged into network, changed their password, but around the time of running script, had forgotten password and helpdesk had resetted their password and set "Change Password at next logon" I hope I am not confusing you all. :-) I know, simple solution would be to change criteria to say 15 days, raise DFL and use LLTS, but I am taking this as a scripting challenge at Win2k-native DFL. Hey joe, is there a way to see replication meta data using adfind? ;-) If yes, I could take a peek at originating date/time for attributes. -- Kamlesh ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ You teach best what you most need to learn. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ You teach best what you most need to learn. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
