RE: [ActiveDir] OldCmp question
Big fat ditto - and even better in the support tools. Gruesse - Sincerely, Ulf B. Simon-Weidner Profile & Publications: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811 D Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org >-Original Message- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of joe >Sent: Tuesday, May 23, 2006 5:31 AM >To: ActiveDir@mail.activedir.org >Subject: RE: [ActiveDir] OldCmp question > >I wouldn't be adverse to seeing at least adfind and admod in >the support or resource kit tools. :) > > >-- >O'Reilly Active Directory Third Edition - >http://www.joeware.net/win/ad3e.htm > > >-Original Message- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. >Simon-Weidner >Sent: Sunday, May 21, 2006 11:06 AM >To: ActiveDir@mail.activedir.org >Subject: RE: [ActiveDir] OldCmp question > >I agree that ds-tools lack some possibilities, and I'd prefer >MS putting your tools into their product, however in most >scenarios I've been working in they are not allowed to put >additional software in their domain unless it's prooved, and >the use of your tools is not important enough the justify this >hazzle. So I'm mainly limited to ds-tools or vbs. > >Something like this should work: > >Dsquery user -stalepwd 90 | dsget user -dn -disabled | find "No" > >Gruesse - Sincerely, > >Ulf B. Simon-Weidner > > Profile & Publications: >http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B48 >9-F2F1214C811 >D > Weblog: http://msmvps.org/UlfBSimonWeidner > Website: http://www.windowsserverfaq.org > > > > >>-Original Message- >>From: [EMAIL PROTECTED] >>[mailto:[EMAIL PROTECTED] On Behalf Of joe >>Sent: Saturday, May 20, 2006 6:24 PM >>To: ActiveDir@mail.activedir.org >>Subject: RE: [ActiveDir] OldCmp question >> >>Hmm good point... Well except we were talking about oldcmp instead of >>adfind... Fun though that the switches are so close... >> >>So what are the switches and the filter to use with dsquery to get an >>html listing of all enabled users whose password age is 90 days or >>older? >> >> >>:) >> >> >> >> >>-- >>O'Reilly Active Directory Third Edition - >>http://www.joeware.net/win/ad3e.htm >> >> >>-Original Message- >>From: [EMAIL PROTECTED] >>[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. >>Simon-Weidner >>Sent: Saturday, May 20, 2006 2:56 AM >>To: ActiveDir@mail.activedir.org >>Subject: RE: [ActiveDir] OldCmp question >> >>I didn't catch it because I didn't bother enough to read the adfind >>syntax. >>If you'd provided a standard LDAP-Filter with DSQuery ... >> >>;-) >> >>Gruesse - Sincerely, >> >>Ulf B. Simon-Weidner >> >> Profile & Publications: >>http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B48 >>9-F2F1214C811 >>D >> Weblog: http://msmvps.org/UlfBSimonWeidner >> Website: http://www.windowsserverfaq.org >> >> >> >> >>>-Original Message- >>>From: [EMAIL PROTECTED] >>>[mailto:[EMAIL PROTECTED] On Behalf Of joe >>>Sent: Friday, May 19, 2006 9:41 PM >>>To: ActiveDir@mail.activedir.org >>>Subject: RE: [ActiveDir] OldCmp question >>> >>>I just realized I told you how to INCLUDE disabled accounts - >>you want >>>NOT DISABLED accounts. So you want to NOT what I indicated, >>however you >>>have to add to it to avoid a false positive. >>> >>>-af "(&(useraccountcontrol=*)(!(useraccountcontrol:AND:=2)))" >>> >>> >>>One thing to note with NOT filters... Well two actually... >>> >>>1. NOT filters are inefficient. But then so are bitwise >>filters. ;o) 2. >>>NOT filters can have false positives. An account could have >the value >>>set that you are trying to avoid but if the account trying to access >>>the info doesn't have the access to see that value, it will >>be still be >>>returned. >>>This is why the extra useraccountcontrol=* in the filter. >>> >>>The list is sleeping, they should have been all over me on that dork >>>up. >>> >>> >>> >>>Too late now Al, Dean and Deji Princess, don't worry I >>will explain >>>it to you next time I see you
RE: [ActiveDir] OldCmp question
I wouldn't be adverse to seeing at least adfind and admod in the support or resource kit tools. :) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner Sent: Sunday, May 21, 2006 11:06 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OldCmp question I agree that ds-tools lack some possibilities, and I'd prefer MS putting your tools into their product, however in most scenarios I've been working in they are not allowed to put additional software in their domain unless it's prooved, and the use of your tools is not important enough the justify this hazzle. So I'm mainly limited to ds-tools or vbs. Something like this should work: Dsquery user -stalepwd 90 | dsget user -dn -disabled | find "No" Gruesse - Sincerely, Ulf B. Simon-Weidner Profile & Publications: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811 D Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org >-Original Message- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of joe >Sent: Saturday, May 20, 2006 6:24 PM >To: ActiveDir@mail.activedir.org >Subject: RE: [ActiveDir] OldCmp question > >Hmm good point... Well except we were talking about oldcmp instead of >adfind... Fun though that the switches are so close... > >So what are the switches and the filter to use with dsquery to get an >html listing of all enabled users whose password age is 90 days or >older? > > >:) > > > > >-- >O'Reilly Active Directory Third Edition - >http://www.joeware.net/win/ad3e.htm > > >-Original Message- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. >Simon-Weidner >Sent: Saturday, May 20, 2006 2:56 AM >To: ActiveDir@mail.activedir.org >Subject: RE: [ActiveDir] OldCmp question > >I didn't catch it because I didn't bother enough to read the adfind >syntax. >If you'd provided a standard LDAP-Filter with DSQuery ... > >;-) > >Gruesse - Sincerely, > >Ulf B. Simon-Weidner > > Profile & Publications: >http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B48 >9-F2F1214C811 >D > Weblog: http://msmvps.org/UlfBSimonWeidner > Website: http://www.windowsserverfaq.org > > > > >>-Original Message- >>From: [EMAIL PROTECTED] >>[mailto:[EMAIL PROTECTED] On Behalf Of joe >>Sent: Friday, May 19, 2006 9:41 PM >>To: ActiveDir@mail.activedir.org >>Subject: RE: [ActiveDir] OldCmp question >> >>I just realized I told you how to INCLUDE disabled accounts - >you want >>NOT DISABLED accounts. So you want to NOT what I indicated, >however you >>have to add to it to avoid a false positive. >> >>-af "(&(useraccountcontrol=*)(!(useraccountcontrol:AND:=2)))" >> >> >>One thing to note with NOT filters... Well two actually... >> >>1. NOT filters are inefficient. But then so are bitwise >filters. ;o) 2. >>NOT filters can have false positives. An account could have the value >>set that you are trying to avoid but if the account trying to access >>the info doesn't have the access to see that value, it will >be still be >>returned. >>This is why the extra useraccountcontrol=* in the filter. >> >>The list is sleeping, they should have been all over me on that dork >>up. >> >> >> >>Too late now Al, Dean and Deji Princess, don't worry I >will explain >>it to you next time I see you. ;o) >> >> >> joe >> >>-- >>I am 78% Evil Genius >> >>I am pure evil. I lie awake at night devising schemes of world >>domination, and I will not rest until all living souls bend >to my will. >> >>Take the Evil Genius Test at fuali.com >> >> >> >>-Original Message- >>From: [EMAIL PROTECTED] >>[mailto:[EMAIL PROTECTED] On Behalf Of joe >>Sent: Friday, May 19, 2006 11:41 AM >>To: ActiveDir@mail.activedir.org >>Subject: RE: [ActiveDir] OldCmp question >> >>Disabled accounts are marked by having bit 1 list on >userAccountControl >>(value 2) >> >>To exclude them you want -af "useraccountcontrol:AND:=2" and -bit >> >> >>I just realized I have an -onlydisabled switch, I should add a >>-onlynotdisabled I guess... >> >> >> >>-- >>O'Reilly Active Directory Third Edition - >>http://www.joeware.net/win/ad3e.htm >> >> >>-
RE: [ActiveDir] OldCmp question
I agree that ds-tools lack some possibilities, and I'd prefer MS putting your tools into their product, however in most scenarios I've been working in they are not allowed to put additional software in their domain unless it's prooved, and the use of your tools is not important enough the justify this hazzle. So I'm mainly limited to ds-tools or vbs. Something like this should work: Dsquery user -stalepwd 90 | dsget user -dn -disabled | find "No" Gruesse - Sincerely, Ulf B. Simon-Weidner Profile & Publications: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811 D Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org >-Original Message- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of joe >Sent: Saturday, May 20, 2006 6:24 PM >To: ActiveDir@mail.activedir.org >Subject: RE: [ActiveDir] OldCmp question > >Hmm good point... Well except we were talking about oldcmp >instead of adfind... Fun though that the switches are so close... > >So what are the switches and the filter to use with dsquery to >get an html listing of all enabled users whose password age is >90 days or older? > > >:) > > > > >-- >O'Reilly Active Directory Third Edition - >http://www.joeware.net/win/ad3e.htm > > >-Original Message- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. >Simon-Weidner >Sent: Saturday, May 20, 2006 2:56 AM >To: ActiveDir@mail.activedir.org >Subject: RE: [ActiveDir] OldCmp question > >I didn't catch it because I didn't bother enough to read the >adfind syntax. >If you'd provided a standard LDAP-Filter with DSQuery ... > >;-) > >Gruesse - Sincerely, > >Ulf B. Simon-Weidner > > Profile & Publications: >http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B48 >9-F2F1214C811 >D > Weblog: http://msmvps.org/UlfBSimonWeidner > Website: http://www.windowsserverfaq.org > > > > >>-Original Message- >>From: [EMAIL PROTECTED] >>[mailto:[EMAIL PROTECTED] On Behalf Of joe >>Sent: Friday, May 19, 2006 9:41 PM >>To: ActiveDir@mail.activedir.org >>Subject: RE: [ActiveDir] OldCmp question >> >>I just realized I told you how to INCLUDE disabled accounts - >you want >>NOT DISABLED accounts. So you want to NOT what I indicated, >however you >>have to add to it to avoid a false positive. >> >>-af "(&(useraccountcontrol=*)(!(useraccountcontrol:AND:=2)))" >> >> >>One thing to note with NOT filters... Well two actually... >> >>1. NOT filters are inefficient. But then so are bitwise >filters. ;o) 2. >>NOT filters can have false positives. An account could have the value >>set that you are trying to avoid but if the account trying to access >>the info doesn't have the access to see that value, it will >be still be >>returned. >>This is why the extra useraccountcontrol=* in the filter. >> >>The list is sleeping, they should have been all over me on that dork >>up. >> >> >> >>Too late now Al, Dean and Deji Princess, don't worry I >will explain >>it to you next time I see you. ;o) >> >> >> joe >> >>-- >>I am 78% Evil Genius >> >>I am pure evil. I lie awake at night devising schemes of world >>domination, and I will not rest until all living souls bend >to my will. >> >>Take the Evil Genius Test at fuali.com >> >> >> >>-Original Message- >>From: [EMAIL PROTECTED] >>[mailto:[EMAIL PROTECTED] On Behalf Of joe >>Sent: Friday, May 19, 2006 11:41 AM >>To: ActiveDir@mail.activedir.org >>Subject: RE: [ActiveDir] OldCmp question >> >>Disabled accounts are marked by having bit 1 list on >userAccountControl >>(value 2) >> >>To exclude them you want -af "useraccountcontrol:AND:=2" and -bit >> >> >>I just realized I have an -onlydisabled switch, I should add a >>-onlynotdisabled I guess... >> >> >> >>-- >>O'Reilly Active Directory Third Edition - >>http://www.joeware.net/win/ad3e.htm >> >> >>-Original Message- >>From: [EMAIL PROTECTED] >>[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, >>Russ >>Sent: Friday, May 19, 2006 11:25 AM >>To: ActiveDir@mail.activedir.org >>Subject: [ActiveDir] OldCmp question >> >>Anyone know a way to easibly filter out disabled accounts from the >>oldcmp -users report? Would one have to u
RE: [ActiveDir] OldCmp question
I think joe is talking about: http://blog.joeware.net/2006/02/18/243/ ;-) Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : From: [EMAIL PROTECTED] on behalf of joe Sent: Fri 2006-05-19 21:34 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OldCmp question Hmm that may work. I will have to send it into the design committee and see what they think. ;o) TGIF. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef Kazimer Sent: Friday, May 19, 2006 2:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OldCmp question hmmm How about -onlyenabled? :) Ya know...just because... > From: [EMAIL PROTECTED] > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] OldCmp question > Date: Fri, 19 May 2006 11:41:21 -0400 > > Disabled accounts are marked by having bit 1 list on userAccountControl > (value 2) > > To exclude them you want -af "useraccountcontrol:AND:=2" and -bit > > > I just realized I have an -onlydisabled switch, I should add a > -onlynotdisabled I guess... > > > > -- > O'Reilly Active Directory Third Edition - > http://www.joeware.net/win/ad3e.htm > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ > Sent: Friday, May 19, 2006 11:25 AM > To: ActiveDir@mail.activedir.org > Subject: [ActiveDir] OldCmp question > > Anyone know a way to easibly filter out disabled accounts from the oldcmp > -users report? Would one have to use some sort of bitwise filter from a > translation of a useraccountcontrol 66048 value or something? > > > ~~ > This e-mail is confidential, may contain proprietary information of Cameron > and its operating Divisions and may be confidential or privileged. > > This e-mail should be read, copied, disseminated and/or used only by the > addressee. If you have received this message in error please delete it, > together with any attachments, from your system. > ~~ > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Express yourself instantly with MSN Messenger! MSN Messenger <http://clk.atdmt.com/AVE/go/onm00200471ave/direct/01/> This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. <>
RE: [ActiveDir] OldCmp question
Hmm good point... Well except we were talking about oldcmp instead of adfind... Fun though that the switches are so close... So what are the switches and the filter to use with dsquery to get an html listing of all enabled users whose password age is 90 days or older? :) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner Sent: Saturday, May 20, 2006 2:56 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OldCmp question I didn't catch it because I didn't bother enough to read the adfind syntax. If you'd provided a standard LDAP-Filter with DSQuery ... ;-) Gruesse - Sincerely, Ulf B. Simon-Weidner Profile & Publications: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811 D Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org >-Original Message- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of joe >Sent: Friday, May 19, 2006 9:41 PM >To: ActiveDir@mail.activedir.org >Subject: RE: [ActiveDir] OldCmp question > >I just realized I told you how to INCLUDE disabled accounts - you want >NOT DISABLED accounts. So you want to NOT what I indicated, however you >have to add to it to avoid a false positive. > >-af "(&(useraccountcontrol=*)(!(useraccountcontrol:AND:=2)))" > > >One thing to note with NOT filters... Well two actually... > >1. NOT filters are inefficient. But then so are bitwise filters. ;o) 2. >NOT filters can have false positives. An account could have the value >set that you are trying to avoid but if the account trying to access >the info doesn't have the access to see that value, it will be still be >returned. >This is why the extra useraccountcontrol=* in the filter. > >The list is sleeping, they should have been all over me on that dork >up. > > > >Too late now Al, Dean and Deji Princess, don't worry I will explain >it to you next time I see you. ;o) > > > joe > >-- >I am 78% Evil Genius > >I am pure evil. I lie awake at night devising schemes of world >domination, and I will not rest until all living souls bend to my will. > >Take the Evil Genius Test at fuali.com > > > >-Original Message- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of joe >Sent: Friday, May 19, 2006 11:41 AM >To: ActiveDir@mail.activedir.org >Subject: RE: [ActiveDir] OldCmp question > >Disabled accounts are marked by having bit 1 list on userAccountControl >(value 2) > >To exclude them you want -af "useraccountcontrol:AND:=2" and -bit > > >I just realized I have an -onlydisabled switch, I should add a >-onlynotdisabled I guess... > > > >-- >O'Reilly Active Directory Third Edition - >http://www.joeware.net/win/ad3e.htm > > >-Original Message- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, >Russ >Sent: Friday, May 19, 2006 11:25 AM >To: ActiveDir@mail.activedir.org >Subject: [ActiveDir] OldCmp question > >Anyone know a way to easibly filter out disabled accounts from the >oldcmp -users report? Would one have to use some sort of bitwise >filter from a translation of a useraccountcontrol >66048 value or something? > > >~~ >This e-mail is confidential, may contain proprietary information of >Cameron and its operating Divisions and may be confidential or >privileged. > >This e-mail should be read, copied, disseminated and/or used only by >the addressee. If you have received this message in error please delete >it, together with any attachments, from your system. >~~ > >List info : http://www.activedir.org/List.aspx >List FAQ: http://www.activedir.org/ListFAQ.aspx >List archive: >http://www.mail-archive.com/activedir%40mail.activedir.org/ > >List info : http://www.activedir.org/List.aspx >List FAQ: http://www.activedir.org/ListFAQ.aspx >List archive: >http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OldCmp question
I didn't catch it because I didn't bother enough to read the adfind syntax. If you'd provided a standard LDAP-Filter with DSQuery ... ;-) Gruesse - Sincerely, Ulf B. Simon-Weidner Profile & Publications: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811 D Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org >-Original Message- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of joe >Sent: Friday, May 19, 2006 9:41 PM >To: ActiveDir@mail.activedir.org >Subject: RE: [ActiveDir] OldCmp question > >I just realized I told you how to INCLUDE disabled accounts - >you want NOT DISABLED accounts. So you want to NOT what I >indicated, however you have to add to it to avoid a false positive. > >-af "(&(useraccountcontrol=*)(!(useraccountcontrol:AND:=2)))" > > >One thing to note with NOT filters... Well two actually... > >1. NOT filters are inefficient. But then so are bitwise >filters. ;o) 2. NOT filters can have false positives. An >account could have the value set that you are trying to avoid >but if the account trying to access the info doesn't have the >access to see that value, it will be still be returned. >This is why the extra useraccountcontrol=* in the filter. > >The list is sleeping, they should have been all over me on >that dork up. > > > >Too late now Al, Dean and Deji Princess, don't worry I >will explain it to you next time I see you. ;o) > > > joe > >-- >I am 78% Evil Genius > >I am pure evil. I lie awake at night devising schemes of world >domination, and I will not rest until all living souls bend to my will. > >Take the Evil Genius Test at fuali.com > > > >-----Original Message- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of joe >Sent: Friday, May 19, 2006 11:41 AM >To: ActiveDir@mail.activedir.org >Subject: RE: [ActiveDir] OldCmp question > >Disabled accounts are marked by having bit 1 list on >userAccountControl (value 2) > >To exclude them you want -af "useraccountcontrol:AND:=2" and -bit > > >I just realized I have an -onlydisabled switch, I should add a >-onlynotdisabled I guess... > > > >-- >O'Reilly Active Directory Third Edition - >http://www.joeware.net/win/ad3e.htm > > >-Original Message- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of >Rimmerman, Russ >Sent: Friday, May 19, 2006 11:25 AM >To: ActiveDir@mail.activedir.org >Subject: [ActiveDir] OldCmp question > >Anyone know a way to easibly filter out disabled accounts from >the oldcmp -users report? Would one have to use some sort of >bitwise filter from a translation of a useraccountcontrol >66048 value or something? > > >~~ >This e-mail is confidential, may contain proprietary >information of Cameron and its operating Divisions and may be >confidential or privileged. > >This e-mail should be read, copied, disseminated and/or used >only by the addressee. If you have received this message in >error please delete it, together with any attachments, from >your system. >~~ > >List info : http://www.activedir.org/List.aspx >List FAQ: http://www.activedir.org/ListFAQ.aspx >List archive: >http://www.mail-archive.com/activedir%40mail.activedir.org/ > >List info : http://www.activedir.org/List.aspx >List FAQ: http://www.activedir.org/ListFAQ.aspx >List archive: >http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OldCmp question
Hmm...then you could add -notonlynotdisabled to return disabled users just to keep with the flow... Subject: RE: [ActiveDir] OldCmp questionDate: Fri, 19 May 2006 17:08:03 -0400From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.org +1 for –onlynotdisabled Thanks,Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Friday, May 19, 2006 3:34 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OldCmp question Hmm that may work. I will have to send it into the design committee and see what they think. ;o) TGIF. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef KazimerSent: Friday, May 19, 2006 2:36 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OldCmp question hmmm How about -onlyenabled? :) Ya know...just because... > From: [EMAIL PROTECTED]> To: ActiveDir@mail.activedir.org> Subject: RE: [ActiveDir] OldCmp question> Date: Fri, 19 May 2006 11:41:21 -0400> > Disabled accounts are marked by having bit 1 list on userAccountControl> (value 2)> > To exclude them you want -af "useraccountcontrol:AND:=2" and -bit> > > I just realized I have an -onlydisabled switch, I should add a> -onlynotdisabled I guess...> > > > --> O'Reilly Active Directory Third Edition -> http://www.joeware.net/win/ad3e.htm > > > -Original Message-> From: [EMAIL PROTECTED]> [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ> Sent: Friday, May 19, 2006 11:25 AM> To: ActiveDir@mail.activedir.org> Subject: [ActiveDir] OldCmp question> > Anyone know a way to easibly filter out disabled accounts from the oldcmp> -users report? Would one have to use some sort of bitwise filter from a> translation of a useraccountcontrol 66048 value or something?> > > ~~> This e-mail is confidential, may contain proprietary information of Cameron> and its operating Divisions and may be confidential or privileged.> > This e-mail should be read, copied, disseminated and/or used only by the> addressee. If you have received this message in error please delete it,> together with any attachments, from your system.> ~~> > List info : http://www.activedir.org/List.aspx> List FAQ: http://www.activedir.org/ListFAQ.aspx> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Express yourself instantly with MSN Messenger! MSN Messenger Crush! Zap! Destroy! Junk e-mail trembles before the might of Windows Live(tm) Mail beta. Windows Live(tm) Mail beta
RE: [ActiveDir] OldCmp question
+1 for –onlynotdisabled Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, May 19, 2006 3:34 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OldCmp question Hmm that may work. I will have to send it into the design committee and see what they think. ;o) TGIF. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef Kazimer Sent: Friday, May 19, 2006 2:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OldCmp question hmmm How about -onlyenabled? :) Ya know...just because... > From: [EMAIL PROTECTED] > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] OldCmp question > Date: Fri, 19 May 2006 11:41:21 -0400 > > Disabled accounts are marked by having bit 1 list on userAccountControl > (value 2) > > To exclude them you want -af "useraccountcontrol:AND:=2" and -bit > > > I just realized I have an -onlydisabled switch, I should add a > -onlynotdisabled I guess... > > > > -- > O'Reilly Active Directory Third Edition - > http://www.joeware.net/win/ad3e.htm > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ > Sent: Friday, May 19, 2006 11:25 AM > To: ActiveDir@mail.activedir.org > Subject: [ActiveDir] OldCmp question > > Anyone know a way to easibly filter out disabled accounts from the oldcmp > -users report? Would one have to use some sort of bitwise filter from a > translation of a useraccountcontrol 66048 value or something? > > > ~~ > This e-mail is confidential, may contain proprietary information of Cameron > and its operating Divisions and may be confidential or privileged. > > This e-mail should be read, copied, disseminated and/or used only by the > addressee. If you have received this message in error please delete it, > together with any attachments, from your system. > ~~ > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Express yourself instantly with MSN Messenger! MSN Messenger
RE: [ActiveDir] OldCmp question
OK cool. If you add the -onlyenabled switch, that would be REALLY cool! :) From: [EMAIL PROTECTED] on behalf of joe Sent: Fri 5/19/2006 2:41 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OldCmp question I just realized I told you how to INCLUDE disabled accounts - you want NOT DISABLED accounts. So you want to NOT what I indicated, however you have to add to it to avoid a false positive. -af "(&(useraccountcontrol=*)(!(useraccountcontrol:AND:=2)))" One thing to note with NOT filters... Well two actually... 1. NOT filters are inefficient. But then so are bitwise filters. ;o) 2. NOT filters can have false positives. An account could have the value set that you are trying to avoid but if the account trying to access the info doesn't have the access to see that value, it will be still be returned. This is why the extra useraccountcontrol=* in the filter. The list is sleeping, they should have been all over me on that dork up. Too late now Al, Dean and Deji Princess, don't worry I will explain it to you next time I see you. ;o) joe -- I am 78% Evil Genius I am pure evil. I lie awake at night devising schemes of world domination, and I will not rest until all living souls bend to my will. Take the Evil Genius Test at fuali.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, May 19, 2006 11:41 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OldCmp question Disabled accounts are marked by having bit 1 list on userAccountControl (value 2) To exclude them you want -af "useraccountcontrol:AND:=2" and -bit I just realized I have an -onlydisabled switch, I should add a -onlynotdisabled I guess... -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Friday, May 19, 2006 11:25 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OldCmp question Anyone know a way to easibly filter out disabled accounts from the oldcmp -users report? Would one have to use some sort of bitwise filter from a translation of a useraccountcontrol 66048 value or something? ~~ This e-mail is confidential, may contain proprietary information of Cameron and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ~~ This e-mail is confidential, may contain proprietary information of Cameron and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OldCmp question
I just realized I told you how to INCLUDE disabled accounts - you want NOT DISABLED accounts. So you want to NOT what I indicated, however you have to add to it to avoid a false positive. -af "(&(useraccountcontrol=*)(!(useraccountcontrol:AND:=2)))" One thing to note with NOT filters... Well two actually... 1. NOT filters are inefficient. But then so are bitwise filters. ;o) 2. NOT filters can have false positives. An account could have the value set that you are trying to avoid but if the account trying to access the info doesn't have the access to see that value, it will be still be returned. This is why the extra useraccountcontrol=* in the filter. The list is sleeping, they should have been all over me on that dork up. Too late now Al, Dean and Deji Princess, don't worry I will explain it to you next time I see you. ;o) joe -- I am 78% Evil Genius I am pure evil. I lie awake at night devising schemes of world domination, and I will not rest until all living souls bend to my will. Take the Evil Genius Test at fuali.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, May 19, 2006 11:41 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OldCmp question Disabled accounts are marked by having bit 1 list on userAccountControl (value 2) To exclude them you want -af "useraccountcontrol:AND:=2" and -bit I just realized I have an -onlydisabled switch, I should add a -onlynotdisabled I guess... -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Friday, May 19, 2006 11:25 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OldCmp question Anyone know a way to easibly filter out disabled accounts from the oldcmp -users report? Would one have to use some sort of bitwise filter from a translation of a useraccountcontrol 66048 value or something? ~~ This e-mail is confidential, may contain proprietary information of Cameron and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OldCmp question
Hmm that may work. I will have to send it into the design committee and see what they think. ;o) TGIF. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef KazimerSent: Friday, May 19, 2006 2:36 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OldCmp question hmmm How about -onlyenabled? :) Ya know...just because... > From: [EMAIL PROTECTED]> To: ActiveDir@mail.activedir.org> Subject: RE: [ActiveDir] OldCmp question> Date: Fri, 19 May 2006 11:41:21 -0400> > Disabled accounts are marked by having bit 1 list on userAccountControl> (value 2)> > To exclude them you want -af "useraccountcontrol:AND:=2" and -bit> > > I just realized I have an -onlydisabled switch, I should add a> -onlynotdisabled I guess...> > > > --> O'Reilly Active Directory Third Edition -> http://www.joeware.net/win/ad3e.htm > > > -Original Message-> From: [EMAIL PROTECTED]> [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ> Sent: Friday, May 19, 2006 11:25 AM> To: ActiveDir@mail.activedir.org> Subject: [ActiveDir] OldCmp question> > Anyone know a way to easibly filter out disabled accounts from the oldcmp> -users report? Would one have to use some sort of bitwise filter from a> translation of a useraccountcontrol 66048 value or something?> > > ~~> This e-mail is confidential, may contain proprietary information of Cameron> and its operating Divisions and may be confidential or privileged.> > This e-mail should be read, copied, disseminated and/or used only by the> addressee. If you have received this message in error please delete it,> together with any attachments, from your system.> ~~> > List info : http://www.activedir.org/List.aspx> List FAQ: http://www.activedir.org/ListFAQ.aspx> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Express yourself instantly with MSN Messenger! MSN Messenger
RE: [ActiveDir] OldCmp question
hmmm How about -onlyenabled? :) Ya know...just because... > From: [EMAIL PROTECTED]> To: ActiveDir@mail.activedir.org> Subject: RE: [ActiveDir] OldCmp question> Date: Fri, 19 May 2006 11:41:21 -0400> > Disabled accounts are marked by having bit 1 list on userAccountControl> (value 2)> > To exclude them you want -af "useraccountcontrol:AND:=2" and -bit> > > I just realized I have an -onlydisabled switch, I should add a> -onlynotdisabled I guess...> > > > --> O'Reilly Active Directory Third Edition -> http://www.joeware.net/win/ad3e.htm > > > -Original Message-> From: [EMAIL PROTECTED]> [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ> Sent: Friday, May 19, 2006 11:25 AM> To: ActiveDir@mail.activedir.org> Subject: [ActiveDir] OldCmp question> > Anyone know a way to easibly filter out disabled accounts from the oldcmp> -users report? Would one have to use some sort of bitwise filter from a> translation of a useraccountcontrol 66048 value or something?> > > ~~> This e-mail is confidential, may contain proprietary information of Cameron> and its operating Divisions and may be confidential or privileged.> > This e-mail should be read, copied, disseminated and/or used only by the> addressee. If you have received this message in error please delete it,> together with any attachments, from your system.> ~~> > List info : http://www.activedir.org/List.aspx> List FAQ: http://www.activedir.org/ListFAQ.aspx> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/Express yourself instantly with MSN Messenger! MSN Messenger
RE: [ActiveDir] OldCmp question
Disabled accounts are marked by having bit 1 list on userAccountControl (value 2) To exclude them you want -af "useraccountcontrol:AND:=2" and -bit I just realized I have an -onlydisabled switch, I should add a -onlynotdisabled I guess... -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Friday, May 19, 2006 11:25 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OldCmp question Anyone know a way to easibly filter out disabled accounts from the oldcmp -users report? Would one have to use some sort of bitwise filter from a translation of a useraccountcontrol 66048 value or something? ~~ This e-mail is confidential, may contain proprietary information of Cameron and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OldCmp question
You don't need to use -f, -af is fine, just slap in the "(!(ourAttribute=TRUE))". The -f overrides most of the query. I recommend it only when/if you find a better query to use than what is in place now. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, RussSent: Monday, May 15, 2006 4:38 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OldCmp question I ended up using oldcmp -report -age 120 -users -f "(&(objectcategory=person)(objectclass=user)(!(ourAttribute=TRUE)))" And it seemed to work. Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, May 15, 2006 2:50 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OldCmp question -af "(!(ourProperty=TRUE))" It would be more efficient and faster for the query to actually set all of the non-service accounts to FALSE so then you can do -af "(ourProperty=FALSE)" NOT filters aren't the greatest for efficiency plus you can get false positives because an account that you can't see the ourProperty value on due to security will be reported even if it has ourProperty set to TRUE. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, RussSent: Monday, May 15, 2006 3:32 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OldCmp question I've created a new boolean schema property to flag all of our service accounts in our AD domain. I've gone through and set the boolean to "TRUE" to all the service accounts. Now I want to use oldcmp to go through and find all the ones that aren't "TRUE" and meet other criteria. I've determined I can do an -af ourProperty=TRUE and show the accounts that are service accounts, but I want any that are NOT service accounts. I tried -af ourProperty=" " and "" and -af ourProperty="" and nothing seems to work. Any ideas? ~~This e-mail is confidential, may contain proprietary informationof Cameron and its operating Divisions and may be confidentialor privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~ ~~This e-mail is confidential, may contain proprietary informationof Cameron and its operating Divisions and may be confidentialor privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~
RE: [ActiveDir] OldCmp question
Usually I see folks add in an ID type or use the employeetype attributes. They are all acceptable. The service naming I have seen odd issues with where a service id has to be a certain value. Stupid apps I realize but they do exist... :o) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony MurraySent: Monday, May 15, 2006 5:24 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OldCmp question Hi Russ Just out of idle curiosity, I would be interested to know why you decided to extend the schema to flag all service accounts. I’ve seen organisations use a specific naming convention to identify service accounts before, but never adding a new attribute. Tony From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, RussSent: Tuesday, 16 May 2006 8:38 a.m.To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OldCmp question I ended up using oldcmp -report -age 120 -users -f "(&(objectcategory=person)(objectclass=user)(!(ourAttribute=TRUE)))" And it seemed to work. Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, May 15, 2006 2:50 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OldCmp question -af "(!(ourProperty=TRUE))" It would be more efficient and faster for the query to actually set all of the non-service accounts to FALSE so then you can do -af "(ourProperty=FALSE)" NOT filters aren't the greatest for efficiency plus you can get false positives because an account that you can't see the ourProperty value on due to security will be reported even if it has ourProperty set to TRUE. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, RussSent: Monday, May 15, 2006 3:32 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OldCmp question I've created a new boolean schema property to flag all of our service accounts in our AD domain. I've gone through and set the boolean to "TRUE" to all the service accounts. Now I want to use oldcmp to go through and find all the ones that aren't "TRUE" and meet other criteria. I've determined I can do an -af ourProperty=TRUE and show the accounts that are service accounts, but I want any that are NOT service accounts. I tried -af ourProperty=" " and "" and -af ourProperty="" and nothing seems to work. Any ideas? ~~This e-mail is confidential, may contain proprietary informationof Cameron and its operating Divisions and may be confidentialor privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~ ~~This e-mail is confidential, may contain proprietary informationof Cameron and its operating Divisions and may be confidentialor privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~ This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002.
RE: [ActiveDir] OldCmp question
Hi Russ Just out of idle curiosity, I would be interested to know why you decided to extend the schema to flag all service accounts. I’ve seen organisations use a specific naming convention to identify service accounts before, but never adding a new attribute. Tony From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, 16 May 2006 8:38 a.m. To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OldCmp question I ended up using oldcmp -report -age 120 -users -f "(&(objectcategory=person)(objectclass=user)(!(ourAttribute=TRUE)))" And it seemed to work. Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, May 15, 2006 2:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OldCmp question -af "(!(ourProperty=TRUE))" It would be more efficient and faster for the query to actually set all of the non-service accounts to FALSE so then you can do -af "(ourProperty=FALSE)" NOT filters aren't the greatest for efficiency plus you can get false positives because an account that you can't see the ourProperty value on due to security will be reported even if it has ourProperty set to TRUE. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Monday, May 15, 2006 3:32 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OldCmp question I've created a new boolean schema property to flag all of our service accounts in our AD domain. I've gone through and set the boolean to "TRUE" to all the service accounts. Now I want to use oldcmp to go through and find all the ones that aren't "TRUE" and meet other criteria. I've determined I can do an -af ourProperty=TRUE and show the accounts that are service accounts, but I want any that are NOT service accounts. I tried -af ourProperty=" " and "" and -af ourProperty="" and nothing seems to work. Any ideas? ~~ This e-mail is confidential, may contain proprietary information of Cameron and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ ~~ This e-mail is confidential, may contain proprietary information of Cameron and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002.
RE: [ActiveDir] OldCmp question
I ended up using oldcmp -report -age 120 -users -f "(&(objectcategory=person)(objectclass=user)(!(ourAttribute=TRUE)))" And it seemed to work. Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, May 15, 2006 2:50 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OldCmp question -af "(!(ourProperty=TRUE))" It would be more efficient and faster for the query to actually set all of the non-service accounts to FALSE so then you can do -af "(ourProperty=FALSE)" NOT filters aren't the greatest for efficiency plus you can get false positives because an account that you can't see the ourProperty value on due to security will be reported even if it has ourProperty set to TRUE. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, RussSent: Monday, May 15, 2006 3:32 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OldCmp question I've created a new boolean schema property to flag all of our service accounts in our AD domain. I've gone through and set the boolean to "TRUE" to all the service accounts. Now I want to use oldcmp to go through and find all the ones that aren't "TRUE" and meet other criteria. I've determined I can do an -af ourProperty=TRUE and show the accounts that are service accounts, but I want any that are NOT service accounts. I tried -af ourProperty=" " and "" and -af ourProperty="" and nothing seems to work. Any ideas? ~~This e-mail is confidential, may contain proprietary informationof Cameron and its operating Divisions and may be confidentialor privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~ ~~ This e-mail is confidential, may contain proprietary information of Cameron and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~
RE: [ActiveDir] OldCmp question
Perhaps -af (!(ourProperty=TRUE)) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Monday, May 15, 2006 3:32 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OldCmp question I've created a new boolean schema property to flag all of our service accounts in our AD domain. I've gone through and set the boolean to "TRUE" to all the service accounts. Now I want to use oldcmp to go through and find all the ones that aren't "TRUE" and meet other criteria. I've determined I can do an -af ourProperty=TRUE and show the accounts that are service accounts, but I want any that are NOT service accounts. I tried -af ourProperty=" " and "" and -af ourProperty="" and nothing seems to work. Any ideas? ~~ This e-mail is confidential, may contain proprietary information of Cameron and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~
RE: [ActiveDir] OldCmp question
-af "(!(ourProperty=TRUE))" It would be more efficient and faster for the query to actually set all of the non-service accounts to FALSE so then you can do -af "(ourProperty=FALSE)" NOT filters aren't the greatest for efficiency plus you can get false positives because an account that you can't see the ourProperty value on due to security will be reported even if it has ourProperty set to TRUE. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, RussSent: Monday, May 15, 2006 3:32 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OldCmp question I've created a new boolean schema property to flag all of our service accounts in our AD domain. I've gone through and set the boolean to "TRUE" to all the service accounts. Now I want to use oldcmp to go through and find all the ones that aren't "TRUE" and meet other criteria. I've determined I can do an -af ourProperty=TRUE and show the accounts that are service accounts, but I want any that are NOT service accounts. I tried -af ourProperty=" " and "" and -af ourProperty="" and nothing seems to work. Any ideas? ~~This e-mail is confidential, may contain proprietary informationof Cameron and its operating Divisions and may be confidentialor privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~
RE: [ActiveDir] OldCmp
Yeah I have been thinking about that one for a while, I don't just want to do it, I would want to do it efficiently and with some measure of a guarantee which is tough, especially in large environments or environments with WAN sites (for instance, if there is one or more DCs that you can't contact, how do you make ANY decisions, you don't have all of the info). You could disable an ID that is absolutely in use, you just didn't talk to the one DC that it authenticates against. Using lastLogon can be dangerous in my opinion. lastLogonTimeStamp is also a bit touchy but at least if the DC connects occasionally the stamps should get updated. I would visualize I would have to add switches like "allow X DCs to not respond and still do something" or allow a list of DCs to be specified that if they don't respond it doesn't matter what they have to say. Of course speed and possibly memory could be impacted. To be honest, my favorite method is to use pwdLastSet. I think folks who like to have non-expiring IDs are a bit kookoo. :o) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David AdnerSent: Saturday, November 26, 2005 11:46 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OldCmp I scanned through the list of current switches and you appear to already have everything I was going to ask for. :) The only item I wasn't 100% certain on was if it can query lastLogon. I saw references to pwdLastSet and lastLogonTimeStamp. The ability to query lastLogon would be nice for environments that aren't 2003 DFL and may not have a good password policy or for whatever reason pwdLastSet isn't a great solution by itself. I know it's less efficient since it has to query every DC in a domain, but it's still useful in certain scenarios. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Saturday, November 26, 2005 10:01 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OldCmp So, other than the bug reports and requests I have received previously prior to this email, it is perfect? Cool. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Friday, November 18, 2005 5:38 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OldCmp Ok, so now that you have had time to play with oldcmp and you have decided you like it or maybe just simply deal with it or it really upsets you, what would you change about it? If it were your app and you were like, I need to make this better, what things would you do to it to make it better? LIke for instance, you are sitting there and you think, man this is cool, but it would be really cool if "X" I am starting to feel the urge to dig into that code again and since the first version was driven in great part by requests from this list, I figured I would ask about before going off and making changes from my own head and from previous requests or issues I have heard or assumed from things I have heard. Ping me with an email directly at this address or the one from the usage screen. Obviously if you have thoughts about other tools that I have out there, I always welcome those comments as well. joe P.S. Anyone on this list work for Borland or know someone well that works at Borland that could comp me a copy of the new Borland C++ Builder 2006 or give me a really good price break? I have a copy of Visual Studio 2005 but it just doesn't do it for me. The cool stuff[1] assumes you want to code using .NET and you know what they say about assumptions. [1] Like quick and easy service creation and windows gui app building which BB did long ago with native code.
RE: [ActiveDir] OldCmp
I scanned through the list of current switches and you appear to already have everything I was going to ask for. :) The only item I wasn't 100% certain on was if it can query lastLogon. I saw references to pwdLastSet and lastLogonTimeStamp. The ability to query lastLogon would be nice for environments that aren't 2003 DFL and may not have a good password policy or for whatever reason pwdLastSet isn't a great solution by itself. I know it's less efficient since it has to query every DC in a domain, but it's still useful in certain scenarios. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Saturday, November 26, 2005 10:01 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OldCmp So, other than the bug reports and requests I have received previously prior to this email, it is perfect? Cool. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Friday, November 18, 2005 5:38 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OldCmp Ok, so now that you have had time to play with oldcmp and you have decided you like it or maybe just simply deal with it or it really upsets you, what would you change about it? If it were your app and you were like, I need to make this better, what things would you do to it to make it better? LIke for instance, you are sitting there and you think, man this is cool, but it would be really cool if "X" I am starting to feel the urge to dig into that code again and since the first version was driven in great part by requests from this list, I figured I would ask about before going off and making changes from my own head and from previous requests or issues I have heard or assumed from things I have heard. Ping me with an email directly at this address or the one from the usage screen. Obviously if you have thoughts about other tools that I have out there, I always welcome those comments as well. joe P.S. Anyone on this list work for Borland or know someone well that works at Borland that could comp me a copy of the new Borland C++ Builder 2006 or give me a really good price break? I have a copy of Visual Studio 2005 but it just doesn't do it for me. The cool stuff[1] assumes you want to code using .NET and you know what they say about assumptions. [1] Like quick and easy service creation and windows gui app building which BB did long ago with native code.
RE: [ActiveDir] OldCmp
So, other than the bug reports and requests I have received previously prior to this email, it is perfect? Cool. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Friday, November 18, 2005 5:38 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OldCmp Ok, so now that you have had time to play with oldcmp and you have decided you like it or maybe just simply deal with it or it really upsets you, what would you change about it? If it were your app and you were like, I need to make this better, what things would you do to it to make it better? LIke for instance, you are sitting there and you think, man this is cool, but it would be really cool if "X" I am starting to feel the urge to dig into that code again and since the first version was driven in great part by requests from this list, I figured I would ask about before going off and making changes from my own head and from previous requests or issues I have heard or assumed from things I have heard. Ping me with an email directly at this address or the one from the usage screen. Obviously if you have thoughts about other tools that I have out there, I always welcome those comments as well. joe P.S. Anyone on this list work for Borland or know someone well that works at Borland that could comp me a copy of the new Borland C++ Builder 2006 or give me a really good price break? I have a copy of Visual Studio 2005 but it just doesn't do it for me. The cool stuff[1] assumes you want to code using .NET and you know what they say about assumptions. [1] Like quick and easy service creation and windows gui app building which BB did long ago with native code.
RE: [ActiveDir] oldcmp
Assuming you've chosen to output OLDCMP's report switch to CSV format, you could start with something like below. In this example, "oldcmp.txt" is the name of the output file you've generated with OLDCMP. Hope it helps give you some ideas...probably not really the polished version : - ) -DaveC # perl # Set up an output file...open ( OUT , "> oldcmp-sams.txt" ) ; # Read in the existing CSV/TXT file...open ( LOG , "@a = ;close LOG ; # Get rid of all lines that don't begin with a DN...for $i ( @a ) { push ( @b , $i ) if ( $i =~ /^cn=/ ) ;} # Keep just the samaccountname, which is the 3rd field in joe's output in this case...for $j ( @b ) { push ( @c , ( split ( /;/ , $j ) ) [2] ) ;} # Write out that last array to a file...print OUT join ( "\n" , @c ) ;close OUT ; # End! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom KernSent: Monday, October 10, 2005 4:21 AMTo: ActiveDir@mail.activedir.orgSubject: [spam] Re: [ActiveDir] oldcmp i'm trying to get rid of all those fields except sAMAccountName with perl. any ideas? can oldcmp take as input the same file it created to disable accounts? anyway, i'd like to know how to parse that file in perl and get rid of all the fields except that one and use that file as input to oldcmp or ds* commands with For, to disable just some accounts that oldcmp finds. thanks On 10/9/05, joe <[EMAIL PROTECTED]> wrote: Noyup From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom KernSent: Sunday, October 09, 2005 9:10 AMTo: activedirectorySubject: [ActiveDir] oldcmp is there anyway to just dump the sAMAccountName from oldcmp for inactive computers to csv? I want to filter all the default fields out(pwdLastSet,dn,cn,etc). thanks - Visit our Internet site at http://www.reuters.com To find out more about Reuters Products and Services visit http://www.reuters.com/productinfo Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd.
Re: [ActiveDir] oldcmp
i'm trying to get rid of all those fields except sAMAccountName with perl. any ideas? can oldcmp take as input the same file it created to disable accounts? anyway, i'd like to know how to parse that file in perl and get rid of all the fields except that one and use that file as input to oldcmp or ds* commands with For, to disable just some accounts that oldcmp finds. thanks On 10/9/05, joe <[EMAIL PROTECTED]> wrote: Noyup From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom KernSent: Sunday, October 09, 2005 9:10 AMTo: activedirectorySubject: [ActiveDir] oldcmp is there anyway to just dump the sAMAccountName from oldcmp for inactive computers to csv? I want to filter all the default fields out(pwdLastSet,dn,cn,etc). thanks
RE: [ActiveDir] oldcmp
Noyup From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom KernSent: Sunday, October 09, 2005 9:10 AMTo: activedirectorySubject: [ActiveDir] oldcmp is there anyway to just dump the sAMAccountName from oldcmp for inactive computers to csv? I want to filter all the default fields out(pwdLastSet,dn,cn,etc). thanks