Re: WIN32::NetAdmin - Disabling an account through PERL

[Ahlsen-Girard Edward F Contr 46 TS/OGET]

Title: Re: WIN32::NetAdmin - Disabling an account through PERL

> From: <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Subject: WIN32::NetAdmin - Disabling an account through PERL
> Date: Wed, 11 Jul 2001 09:02:00 -0400
>
> This is a multipart message in MIME format.
> --=_alternative 0047DAC985256A86_=
> Content-Type: text/plain; charset="us-ascii"
>
> I am using the NetAdmin - UserGetAttributes to query user
> stats from the
> PDC.  I need to disable accounts that have not been used in
> the last 90
> days.  Is there a function that I am overlooking in the
> NetAdmin module
> that can perform this task for me?  If not, do you know of
> another module
> or script that will disable an account?  Thank you for your time and
> knowledge,
>
> Jonathan Keevis
> Information Security
> FRAS - Richmond
> (804) 697-3761
>

I'm guessing that you specifically want to DISABLE the account rather than let the password expire.  Here is how I do it:

        #   Imports the Win32API module's User symbols
        use Win32API::Net qw(:User :Get :Group);

        #   Imports a different (i.e., working) GetUsers.
        use Win32::NetAdmin qw(GetUsers UserGetAttributes);
                                (much removed)
                if (($$suspect{passwordAge}/86400) >= 90) {  ### %suspect is a level 3 hash of account attributes
                        unless ($$suspect{flags} & $disable) { ###
                      $$suspect{flags} |= $disable;
                        if ( UserSetInfo( $server, $suspect, 1008, \%$suspect, &Win32API::Net::USER_FLAGS_PARMNUM() ) ) {

                              print CLEANUP "Disabled $suspect of $$suspect{comment} due to password age.\n";
                            }
                      else {
                            print CLEANUP "FAILED to disable $suspect of $$suspect{comment}\'s account due to &Win32::GetLastError(),   &Win32API::Net::USER_FLAGS_PARMNUM()\n";

                      }
                    }
                    }

Which is not a Win32::AdminMisc only solution, but I guess you could mod this to:

        #   Imports a different (i.e., working) GetUsers.
        use Win32::NetAdmin qw(GetUsers UserGetAttributes);

                    if (($$suspect{USER_PASSWORD_AGE/86400} >= 90) { 
                  unless ($$suspect{USER_FLAGS} & UF_ACCOUNTDISABLE()) {
                                $$suspect{USER_FLAGS} = $$suspect{USER_FLAGS} | UF_ACCOUNTDISABLE;
                                Win32::AdminMisc::UserSetMiscAttributes( '', $User, USER_FLAGS, $$suspect{USER_FLAGS} );

                                print CLEANUP "Disabled $suspect of $$suspect{comment} due to contract expiration.\n";
                            }
                  }
                }

or something like it.  Password age comes in seconds, whence divide by 86400.