Re: Identify inactive computer accounts.

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: Risto Loponen (Ristolopo_at_aol.com)
Date: 04/13/04 

Date: Tue, 13 Apr 2004 17:47:49 +0200

Hi allMy name is Risto and I work at a large finnish corporation. I've seen
a lot of tipsregarding all the unwanted computer accounts and how to delete
them. Besides beeing (rather)good in ice-hockey the Swedes also knows how to
make good software. Try active directory janitorfrom Special Operations
Software instead of running all those scripts. I must say, It's a loteasier.
http://www.specopssoft.com/products/ADJanitor/Default.asp is the place to
go!See ya!*********************************************************"Joe
Richards [MVP]" <humorexpress@hotmail.com> wrote in message I wouldn't look
at the lastlogon value unless you only have one domain controller. That
value is not replicated so you
could end up deleting accounts that are actually active. You really want to
get the pwd age and verify it is over ~60
days. Probably safest to get the ones over 90 days.

You can use the command line tool secdata which is on the free win32 tools
page of www.joeware.net . It will dump the
info for computer accounts (using the /computers option) into CSV format
which you can parse out with script or sort in
an excel spreadsheet. It will give you lastlogon (on the DC queried) and
pwdlastset which is when the password was set
as well as password age. 

-- 
Joe Richards
www.joeware.net
--
"Yuriy" <anonymous@discussions.microsoft.com> wrote in message
news:073201c3d14e$71be0a40$a501280a@phx.gbl...
>
> Hello all and happy new year.
> Can anyone advise how can I identify inactive computer
> accounts in AD. Although I can see value for lastlogon
> attribute in ADSIEDIT, it doesn't make any sense to me. I
> have exported computer account information with CSVDE and
> included lastlogon attribute and I got value somthing like
> this:127166011052081000.
> How can I read this value to determine the last logon time?
>
> Please help.
>
> Thank you
>
> Yuriy.

Relevant Pages

  • Re: Identify inactive computer accounts.
    ... I have looked at adjanitor and like it. ... that Joe is suggesting. ... > a lot of tipsregarding all the unwanted computer accounts and how to ... > at the lastlogon value unless you only have one domain controller. ...
    (microsoft.public.win2000.active_directory)
  • Re: Determine Last Date of Computer Logon in AD Domain
    ... The best tool for finding and dealing with old computer accounts is Joe ... Richards free oldcmp. ... I have two example VBScript programs that find the last logon ... The first program on the page uses the lastLogon attribute, ...
    (microsoft.public.windows.server.active_directory)
  • Re: Deleted old computer accounts in AD
    ... Look at the lastlogon attribute in AD (you may want to write a VB script to ... must consolidate the data and get the "newest" logon time for each account ... since that attribute is not replicated throught the domain. ... I must determine which computer accounts are no longer required ...
    (microsoft.public.win2000.active_directory)
  • Re: LastLogonTimeStamp
    ... I have a large number of computer accounts that have NULL in the ... The lastLogon attribute is not replicated, even if your domain is at W2k3 ... not attached to the domain or the DC's are not replicating. ... Hilltop Lab - http://www.rlmueller.net ...
    (microsoft.public.windows.server.scripting)
  • Re: Tracking Kerberos Tickets
    ... You need to retrieve pwdLastSet and then calculate the password age from that. ... Joe Richards Microsoft MVP Windows Server Directory Services ... computer accounts will have their passwords changed automatically every so often, ...
    (microsoft.public.platformsdk.security)