Re: some security requirements - how to comply

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

From: barry (noooooo_at_nooonsnasdadasdasdasdasda.com)
Date: 02/22/05 

Date: Tue, 22 Feb 2005 08:16:16 GMT

Juan Carlos wrote:
> Hi:
>
> I have some requirements for a software and I don't know how to
> use/configure Active Directory (or whatever) to comply them or the best way
> to do it. I have no experience with Active Directory.
>
> The following are the requirements:
> 1) Configure a maximum "idle" status of a session: if a user logs in and
> does not use the PC for a certain time the user must be logged off
> automatically.
> 2) Make the system users "expire" automatically when a certain
> (configurable) time has passed since the last time the user logged in.
> 3) Audit the user management (creation/deletion/modification) by
> administrators to record all modifications and authors of those
> modifications.
>
> For 1) a way may be using a screen saver configured to auto log-off after a
> certain time, but I don't know how to configure a default screen saver for a
> group of users (and make those users unable to modify it) . May be using
> logon scripts and some registry stuff?
> For 2) I've seen out there that the "LastLogonTime" or something like that
> is recorded for all users, but I don't know a good way to automatically make
> this.
> For 3) there is a way (policy) that windows "events" are generated when
> Active Directory objects are modified. Is that a good way?
>
> I'd really appreciate your help.
>
> Juan Carlos
>
>
>
>

1) - Be useful if Scheduled Tasks had a "when idle for x minutes" or
something
2) - Theres a last modified property in AD somewhere, but I honestly
cant find it now. I did find a little program once that would go through
AD and list when people last logged on etc. So it does exist and is
possible. Search around a lot. Could write some VB to do it, and then
disable the accounts I guess.
3) - actually done this one! You can get your DCs to generate security
messages when an account is created, modified, deleted etc. Then set up
a VB script and an SQL (or access) DB that will import them into the
database. Schedule this occasionally. Write some asp and make the
database searchable. There was an article on MS's site somewhere about
how to import even logs into SQL

Relevant Pages

  • Re: Active Directory audits
    ... > changes/insertions performed in Active Directory, ... > Juan Carlos ... Have you turned on auditing yet for directory service access and account ...
    (microsoft.public.win2000.active_directory)
  • Re: Copy Active directory Users to a SQL DB table - Daily
    ... And then daily scheduled runs of the script updates the SQL table from ... from Active Directory and another to update the SQL Server database table. ... Dim strConnect, adoSQLConnection, adoSQLCommand, adoSQLRecordset ...
    (microsoft.public.windows.server.scripting)
  • Re: KDC error suggestions?
    ... I have followed the steps in the Microsoft Article that you referred to. ... we need to locate the machine accounts that have the ... > 250455 How to Change Display Names of Active Directory Users ... I have the Windows Support Tools installed that some have ...
    (microsoft.public.windows.server.sbs)
  • Re: Active Directory Value Proposition
    ... > backup purposes - which leads to centralized backups (including open file ... > 1) Central administration of accounts, permissions, and policy. ... > What are the risks? ... >> Would you recommend using Active Directory in a small-business setting? ...
    (microsoft.public.win2000.active_directory)
  • Re: Replication across non-trusted domains requires Win2k Application server and not Domain Controll
    ... you can do it by using SQL authentication instead of NT authentication. ... that the SQL Agent account on your subscriber has rights to read it. ... Or is it possible to install SQL server ... > upon a Windows 2K Domain Controller(Server with Active directory ...
    (microsoft.public.sqlserver.connect)