-start-
>   "Kirk W. Batzer" <[EMAIL PROTECTED]>
>at    07/11/2001 09:26 PM

>Mote:

>If you have more than one "Domain Controller". Such as a PDC with one or
>more BDC's.  The "Last-Logon date" for a user account does not
>necessarily reflect the last time the user logged on.  You need to check
>the "Last logon date" on each domain controller.  The Last Logon Date is
>not replicated to the other domain controllers.  A user can be Logon
>authenticated by any domain controller.
>You need to poll each domain controller. You can set this up through the
>Scheduler to run daily and poll each DC and load the results into a DB.
>The DB insert criteria can use the most recent "Last Logon Date"

Yes. That is what usrstat.exe does.

>Also if a user doesn't logon, yet accesses recourses in the Domain, the
>Last logon Date is not updated on any of the domain controllers.  This
>can happen if a user uses a local machine logon account, yet access
>domain resources by supplying credentials of a domain account.  This can
>be done to access exchange email or LAN shares without performing a
>domain logon.

>This is also a way of circumventing domain logon scripts.  Nasty things.

This is the exact reason for the second solution I provided. We have 
strict security guidelines. There is no reason someone on our network 
should be circumventing a network login or accessing resources without 
logging in. Their account is disabled after xx amount of days with no 
exceptions, and deleted after yy amount of days.

>Also, Win98, WinME and others W9x may not always use a domain logon to
>access domain resources.  This depends on how they set up their windows
>accounts.

We don't use win98x.

>Therefore, using the Last Logon Date alone, is not a foolproof way to
>determine if an NT/W2K Domain account is being used or not.

Grant Hopwood.
Valero Energy Corp.
(210)370-2380
PGP Public Key: Ldap://certserver.pgp.com
nuclear iraq bioweapon encryption cocaine korea terrorist
_______________________________________________
Perl-Win32-Admin mailing list
[EMAIL PROTECTED]
http://listserv.ActiveState.com/mailman/listinfo/perl-win32-admin

Reply via email to