If your requirements are all set then go for it.
My experience with "usrstat.exe" on a large domain infrastructure, is
that it took over 3 days to run and get the output. However on smaller
infrastructures, it may work just fine. Perl would be ideal for parsing
"usrstat.exe" output.
We used our own scripts to list all domain accounts and then
individually poll each account on all domain controllers. Ran these
scripts at night as scheduled batch jobs . These ran faster than
running "usrstat.exe". By the way, "usrstat.exe" also polls all the DCs
in a domain. That's how it gets it's information.
Another possible solution is to enforce password aging. The "Password
Last Change Date" IS replicated to all domain controllers. You may want
to use that date along with or in place of the "Last Logon date".
What about "Service Accounts"? These accounts are used to run services
and may not be specifically used by users. Domain accounts can be setup
to run services.
Anyway, Good luck
Kirk W. Batzer
[EMAIL PROTECTED]
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of
Grant Hopwood
Sent: Thursday, July 12, 2001 9:18 AM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: RE: WIN32::NetAdmin - Disabling an account through PERL
-start-
> "Kirk W. Batzer" <[EMAIL PROTECTED]>
>at 07/11/2001 09:26 PM
>Mote:
>If you have more than one "Domain Controller". Such as a PDC with one
>or more BDC's. The "Last-Logon date" for a user account does not
>necessarily reflect the last time the user logged on. You need to
>check the "Last logon date" on each domain controller. The Last Logon
>Date is not replicated to the other domain controllers. A user can be
>Logon authenticated by any domain controller. You need to poll each
>domain controller. You can set this up through the Scheduler to run
>daily and poll each DC and load the results into a DB. The DB insert
>criteria can use the most recent "Last Logon Date"
Yes. That is what usrstat.exe does.
>Also if a user doesn't logon, yet accesses recourses in the Domain, the
>Last logon Date is not updated on any of the domain controllers. This
>can happen if a user uses a local machine logon account, yet access
>domain resources by supplying credentials of a domain account. This
>can be done to access exchange email or LAN shares without performing a
>domain logon.
>This is also a way of circumventing domain logon scripts. Nasty
>things.
This is the exact reason for the second solution I provided. We have
strict security guidelines. There is no reason someone on our network
should be circumventing a network login or accessing resources without
logging in. Their account is disabled after xx amount of days with no
exceptions, and deleted after yy amount of days.
>Also, Win98, WinME and others W9x may not always use a domain logon to
>access domain resources. This depends on how they set up their windows
>accounts.
We don't use win98x.
>Therefore, using the Last Logon Date alone, is not a foolproof way to
>determine if an NT/W2K Domain account is being used or not.
Grant Hopwood.
Valero Energy Corp.
(210)370-2380
PGP Public Key: Ldap://certserver.pgp.com
nuclear iraq bioweapon encryption cocaine korea terrorist
_______________________________________________
Perl-Win32-Admin mailing list [EMAIL PROTECTED]
http://listserv.ActiveState.com/mailman/listinfo/perl-win32-admin
_______________________________________________
Perl-Win32-Admin mailing list
[EMAIL PROTECTED]
http://listserv.ActiveState.com/mailman/listinfo/perl-win32-admin
