-start-
> "Kirk W. Batzer" <[EMAIL PROTECTED]>
>at 07/11/2001 09:26 PM
>Mote:
>If you have more than one "Domain Controller". Such as a PDC with one or
>more BDC's. The "Last-Logon date" for a user account does not
>necessarily reflect the last time the user logged on. You need to check
>the "Last logon date" on each domain controller. The Last Logon Date is
>not replicated to the other domain controllers. A user can be Logon
>authenticated by any domain controller.
>You need to poll each domain controller. You can set this up through the
>Scheduler to run daily and poll each DC and load the results into a DB.
>The DB insert criteria can use the most recent "Last Logon Date"
Yes. That is what usrstat.exe does.
>Also if a user doesn't logon, yet accesses recourses in the Domain, the
>Last logon Date is not updated on any of the domain controllers. This
>can happen if a user uses a local machine logon account, yet access
>domain resources by supplying credentials of a domain account. This can
>be done to access exchange email or LAN shares without performing a
>domain logon.
>This is also a way of circumventing domain logon scripts. Nasty things.
This is the exact reason for the second solution I provided. We have
strict security guidelines. There is no reason someone on our network
should be circumventing a network login or accessing resources without
logging in. Their account is disabled after xx amount of days with no
exceptions, and deleted after yy amount of days.
>Also, Win98, WinME and others W9x may not always use a domain logon to
>access domain resources. This depends on how they set up their windows
>accounts.
We don't use win98x.
>Therefore, using the Last Logon Date alone, is not a foolproof way to
>determine if an NT/W2K Domain account is being used or not.
Grant Hopwood.
Valero Energy Corp.
(210)370-2380
PGP Public Key: Ldap://certserver.pgp.com
nuclear iraq bioweapon encryption cocaine korea terrorist
_______________________________________________
Perl-Win32-Admin mailing list
[EMAIL PROTECTED]
http://listserv.ActiveState.com/mailman/listinfo/perl-win32-admin
