-start-
> <[EMAIL PROTECTED]>
>at 07/11/2001 08:02 AM
>I am using the NetAdmin - UserGetAttributes to query user stats from the
PDC. �I need to disable accounts that have not been used in the last 90
days. �Is there a function that I am overlooking in the NetAdmin module
that can perform this task for me? �If not, do you know of another module
or script that will disable an account? �Thank you for your time and
knowledge,
This is the exact same project I am currently working on.
Two problems exist with NT4 SAM security for this type of project.
1. When a user logs in, the last logon date is only recorded on the
domain controller that person was authenticated by. So the possibility
that if a user is always authenticated by a BDC, then the PDC will have
'never' as the last logon time for that user. Also different domain
controllers will have different last logon times recorded.
Solution: Use usrstat.exe from the NT4 resource kit. This utility queries
every domain controller on your network and produces a report for all your
users last logon dates from each domain controller. This is easily parsed.
2. NT4 SAM does not record the date a user account was created in the
database. Therefore without a baseline, if a user has NEVER logged into
the domain, you can't tell (by querying last logon date) if the user
account was created over 90 days ago, or only a couple of days
beforehand...
Solution: Create a database/cache of your PDC queries. Each time a new
user is added to the cache, record the first date it was ever placed in
the cache. This can be used as rudimentary baseline for determining
account aging. (Assuming you run a cache update daily to cache any new
accounts.) I have a module for this that you can use if you like.
Grant Hopwood.
Valero Energy Corp.
(210)370-2380
PGP Public Key: Ldap://certserver.pgp.com
nuclear iraq bioweapon encryption cocaine korea terrorist
_______________________________________________
Perl-Win32-Admin mailing list
[EMAIL PROTECTED]
http://listserv.ActiveState.com/mailman/listinfo/perl-win32-admin
