Mote:
If you have more than one "Domain Controller". Such as a PDC with one or
more BDC's. The "Last-Logon date" for a user account does not
necessarily reflect the last time the user logged on. You need to check
the "Last logon date" on each domain controller. The Last Logon Date is
not replicated to the other domain controllers. A user can be Logon
authenticated by any domain controller.
You need to poll each domain controller. You can set this up through the
Scheduler to run daily and poll each DC and load the results into a DB.
The DB insert criteria can use the most recent "Last Logon Date"
Also if a user doesn't logon, yet accesses recourses in the Domain, the
Last logon Date is not updated on any of the domain controllers. This
can happen if a user uses a local machine logon account, yet access
domain resources by supplying credentials of a domain account. This can
be done to access exchange email or LAN shares without performing a
domain logon.
This is also a way of circumventing domain logon scripts. Nasty things.
Also, Win98, WinME and others W9x may not always use a domain logon to
access domain resources. This depends on how they set up their windows
accounts.
Therefore, using the Last Logon Date alone, is not a foolproof way to
determine if an NT/W2K Domain account is being used or not.
Kirk W. Batzer
[EMAIL PROTECTED]
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of
Grant Hopwood
Sent: Wednesday, July 11, 2001 11:55 AM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: WIN32::NetAdmin - Disabling an account through PERL
-start-
> <[EMAIL PROTECTED]>
>at 07/11/2001 08:02 AM
>I am using the NetAdmin - UserGetAttributes to query user stats from
>the
PDC. �I need to disable accounts that have not been used in the last 90
days. �Is there a function that I am overlooking in the NetAdmin module
that can perform this task for me? �If not, do you know of another
module
or script that will disable an account? �Thank you for your time and
knowledge,
This is the exact same project I am currently working on.
Two problems exist with NT4 SAM security for this type of project.
1. When a user logs in, the last logon date is only recorded on the
domain controller that person was authenticated by. So the possibility
that if a user is always authenticated by a BDC, then the PDC will have
'never' as the last logon time for that user. Also different domain
controllers will have different last logon times recorded.
Solution: Use usrstat.exe from the NT4 resource kit. This utility
queries
every domain controller on your network and produces a report for all
your
users last logon dates from each domain controller. This is easily
parsed.
2. NT4 SAM does not record the date a user account was created in the
database. Therefore without a baseline, if a user has NEVER logged into
the domain, you can't tell (by querying last logon date) if the user
account was created over 90 days ago, or only a couple of days
beforehand...
Solution: Create a database/cache of your PDC queries. Each time a new
user is added to the cache, record the first date it was ever placed in
the cache. This can be used as rudimentary baseline for determining
account aging. (Assuming you run a cache update daily to cache any new
accounts.) I have a module for this that you can use if you like.
Grant Hopwood.
Valero Energy Corp.
(210)370-2380
PGP Public Key: Ldap://certserver.pgp.com
nuclear iraq bioweapon encryption cocaine korea terrorist
_______________________________________________
Perl-Win32-Admin mailing list [EMAIL PROTECTED]
http://listserv.ActiveState.com/mailman/listinfo/perl-win32-admin
_______________________________________________
Perl-Win32-Admin mailing list
[EMAIL PROTECTED]
http://listserv.ActiveState.com/mailman/listinfo/perl-win32-admin
