Re: Attributes that Update during Computer logon
- From: RayRay <RayRay@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 3 Jun 2008 13:01:01 -0700
Thanks again for your responses and assistance.
Basically we want to be able to put these users and computers in the domain
but they are never at our offices or sites; they only connect remotely.
Ultimately their computer accounts will become stale and will be deleted as
you mentioned which is what we are trying to avoid. We have figured out a
solution for applying GPOs and reseting their User account passwords when
they expire (all through our VPN) but the Computer accounts are still a
problem. I was hoping to update the directory manually to avoid this issue
but if that is not possible do you have any other suggestions? We have
considered using dial-up networking in where Windows would connect to the VPN
prior to logon but the learning curve for our users is what may be difficult
so we are attempting to pursue all options.
Would greatly appreciate any feedback on this.
Thanks
Ray
"Richard Mueller [MVP]" wrote:
.
"RayRay" <RayRay@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:A0B78B22-B563-4B94-8D90-2B5D2F66FA26@xxxxxxxxxxxxxxxx
Thank you very much for your response. 3 additional questions.
You mention that the computer may request its password to be reset, will
the
object request this automatically based on the 14 days password policy and
how much time is left before expiring?
The client OS requests the password reset automatically as the computer
authenticates to the domain. It only requests after the password has
expired.
Also, in reviewing the attributes for a Computer object (using a LDAP
browser) I noticed multiple attributes named "dsCorePropagationData" that
appear to be dates as well. Any idea what these are and if I would need
to
update them to simulate a logon? Microsoft lists it as "Internal Use
only."
I don't know what dsCorePropagationData is used for. I just know it is not
replicated, is in the GC, and is generalizedTime (which is different from
Integer8 attributes). When I look at the dates I don't believe it is updated
at every logon. I know I have logged on many on many days that are not
included in the collection for my computer.
Finally you mentioned that "lastLogon" was not replicated but is the
"lastLogonTimestamp" attribute? If I am not mistaken "User" objects have
this same attribute and it is replicated every 14 days. Will the
"Computer"
objects "lastLogontimestamp" function the same way?
I should have mentioned lastLogonTimeStamp. Yes, it is only updated during
logon if the previous value is more than 14 days (by default) in the past.
Once updated, the value is replicated. It works the same for user and
computer objects.
You assistance is greatly appreciated.
Thanks
Ray
I don't think you can code a script or program that will update these
attributes. They are updated by the system. I guess I have to ask why you
want to, or what is your goal? The pwdLastSet attribute, for example, cannot
be assigned a value, and it should not matter anyway. A computer can be
roving disconnected for some time and it won't matter. The password will be
reset the next time it authenticates. The lastLogon attribute shouldn't
matter either. The only issue I can think of would be identifying "stale"
computer accounts to be disabled and eventually deleted.
--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--
- References:
- Re: Attributes that Update during Computer logon
- From: Richard Mueller [MVP]
- Re: Attributes that Update during Computer logon
- From: RayRay
- Re: Attributes that Update during Computer logon
- From: Richard Mueller [MVP]
- Re: Attributes that Update during Computer logon
- Prev by Date: Re: Windows 2008 Trust To MIT Kerberos Server
- Next by Date: Re: Windows 2008 Trust To MIT Kerberos Server
- Previous by thread: Re: Attributes that Update during Computer logon
- Next by thread: AD Enabled Apps
- Index(es):
Relevant Pages
|
