Re: Move computers account to another OU from a txt list

Gustavo wrote:

Thanks for the tips Richard, the script worked great!!.
My friend, I need another favor:
I need a script, that list from OU or txt file, that contains machine
accounts than have 180 days o more without logon.

You have a few options. One is to use Joe Richards' free oldcmp tool. See
this link:

http://www.joeware.net/freetools/tools/oldcmp/index.htm

Or, I have a sample VBScript program that retrieves the last logon date for
all users in the domain linked here:

http://www.rlmueller.net/Last%20Logon.htm

There are two programs on the page I linked, depending on your domain level.
In both cases you can modify the script to report on computer instead of
user objects by changing the ADO filter in the loop. To restrict the output
to the objects in one OU, change the base of the query. This is done in the
first program (LastLogon.vbs) by replacing the following:

For k = 0 To Ubound(arrstrDCs)
strBase = "<LDAP://"; & arrstrDCs(k) & "/" & strDNSDomain & ">"
strFilter = "(&(objectCategory=person)(objectClass=user))"

with something similar to:

For k = 0 To Ubound(arrstrDCs)
' Change the base of the query to a specific OU.
strBase = "<LDAP://"; & arrstrDCs(k) & "/ou=Sales,ou=West," &
strDNSDomain & ">"
' Report on computer objects.
strFilter = "(objectCategory=computer)"

The code is complex because the lastLogon attribute is not replicated. The
script must query every DC in the domain, even if you are only interested in
the objects in one OU (you have no idea which DC will authenticate the
computer account).

In the second program linked above (LastLogonTimeStamp.vbs) replace these
lines:

' Search entire domain.
strBase = "<LDAP://"; & strDNSDomain & ">"

' Filter on all user objects.
strFilter = "(&(objectCategory=person)(objectClass=user))"

with code similar to:

' Search OU.
strBase = "<LDAP://ou=Sales,ou=West,"; & strDNSDomain & ">"

' Filter on all user objects.
strFilter = "(objectCategory=computer)"

Another option is to search for computers that have not changed their
password recently. If your domain is not at Windows 2003 functional level
this makes sense because the pwdLastSet attribute (unlike the lastLogon
attribute) is replicated (so there is no need to query every DC in the
domain). I have an example VBScript program to retrieve the date the
password was last changed for all users linked here:

http://www.rlmueller.net/PwdLastChanged.htm

Again this program can be modified for computers instead of users, and also
to restrict the output to one OU. The changes are similar. Change these
lines:

' Filter to retrieve all user objects.
strFilter = "(&(objectCategory=person)(objectClass=user))"

' Filter to retrieve all computer objects.
' strFilter = "(objectCategory=computer)"

strQuery = "<LDAP://"; & strDNSDomain & ">;" & strFilter _
& ";distinguishedName,pwdLastSet,userAccountControl;subtree"

To something similar to:

' Filter to retrieve all computer objects.
strFilter = "(objectCategory=computer)"

strQuery = "<LDAP://ou=Sales,ou=West,"; & strDNSDomain & ">;" & strFilter _
& ";distinguishedName,pwdLastSet,userAccountControl;subtree"

In all cases, the base of the search is defined by the first "clause" of the
ADO query statement, where clauses are delimited by semicolons. You must
specify the full Distinguished Name of the OU as the base of the search. It
must resolve to something similar to:

<LDAP://ou=Sales,ou=West,dc=MyDomain,dc=com>"

where the Distinguished Name of the OU is
"ou=Sales,ou=West,dc=MyDomain,dc=com". Also, in all cases run the VBScript
program at a command prompt using the cscript host and redirect the output
to a text file. For example:

cscript //nologo LastLogon.vbs > report.txt

The text file can be read into a spread*** program for analysis.

--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--


.