Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Determine Last Computer Account Password Change

4 views
Skip to first unread message

Jerry G. Young II

unread,
Oct 15, 2003, 8:49:31 PM10/15/03
to
All,

I'm looking for a means that will allow me to automate computer object
cleanup in Active Directory.

My thought was to write a script that checks the last time a computer
account's password has been changed (by default, computer accounts change
their password every 7 days) and if this date is more than a month ago to
disable the computer account. A secondary script would then check for
disabled computer accounts and delete them if a set of other conditions had
been met.

However, I haven't had any luck in finding a scriptable means to check the
last time a computer account's password has been changed.

If anyone knows, can you let me know? Or, if there is another scriptable
means to determine if a computer account is most likely no longer used, that
would be fine, too.

Thanks in advance.

Cordially yours,
Jerry G. Young II


Robbie Allen

unread,
Oct 15, 2003, 10:12:40 PM10/15/03
to
Hi Jeremy,

Here is a script that can find and disable/delete inactive computers:
http://www.rallenhome.com/books/managingenterprisead/source/Ch11-Listing23_F
inding_Inactive_Computers.perl.txt

This script is a little more straightforward but requires Win Server 2003
AD:
http://www.rallenhome.com/books/adcookbook/src/08.08-find_inactive_computers
.pls.txt

Let me know if you have any questions.

Regards,
Robbie Allen
Author of "Active Directory Cookbook"
http://www.rallenhome.com/


"Jerry G. Young II" <jerry...@savvis.nospam.net> wrote in message
news:#POVe93k...@TK2MSFTNGP10.phx.gbl...

Jerry G. Young II

unread,
Oct 16, 2003, 2:50:10 AM10/16/03
to
Robbie,

Thanks for your input. *8^) I haven't managed to get around to Perl, yet,
though.

Between the Windows 2000 Scripting Guide and some archived messages from
Torgier, I was able to write a VBScript that can do this.

For anyone else who happens to be following this thread (this question has
been answered elsewhere, too), below is the script I wrote.

START CODE
----------------
'==========================================================================
'
' VBScript Source File
'
' NAME: EnumInactiveComputers.vbs
'
' AUTHOR: Jerry G. Young II, Savvis Communications (jerry...@savvis.net)
' DATE : 10/16/2003
'
' COMMENT:
'
'==========================================================================
Option Explicit
On Error Resume Next

Const ADS_SCOPE_SUBTREE = 2
Dim objRoot, strDomainDN
Dim objConnection, objCommand, objRecordSet
Dim intComputerCount

intComputerCount = 1

WScript.Echo("Today's date and time is: " & Now)
WScript.Echo()
WScript.Echo("The following computer accounts have not been modified in the
last 3 months:")

Set objRoot = GetObject("LDAP://RootDSE")
strDomainDN = objRoot.Get("DefaultNamingContext")

Set objConnection = CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")

objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"

Set objCommand.ActiveConnection = objConnection
objCommand.CommandText = "SELECT Name, distinguishedName, operatingSystem, "
& _
"operatingSystemServicePack, whenCreated,
whenChanged " & _
"FROM 'LDAP://" & strDomainDN & "' WHERE
objectClass='computer' " & _
"ORDER BY whenChanged"
objCommand.Properties("Page Size") = 1000
objCommand.Properties("Timeout") = 30
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
objCommand.Properties("Cache Results") = False

Set objRecordSet = objCommand.Execute
objRecordSet.MoveFirst
Do Until objRecordSet.EOF
If CDate(objRecordSet.Fields("whenChanged").Value) < DateAdd("m", -3, Now)
Then
intComputerCount = intComputerCount + 1
WScript.Echo(" " & objRecordSet.Fields("Name").Value & " - Last
Modified: " & _
objRecordSet.Fields("whenChanged").Value)
End If
objRecordSet.MoveNext
Loop

Set objRecordSet = Nothing
Set objCommand = Nothing
Set objConnection = Nothing
Set objRoot = Nothing

If intComputerCount > 0 Then
If intComputerCount > 1 Then
WScript.Echo()
WScript.Echo(intComputerCount & " computer accounts have not been
modified in the last 3 months.")
Else
WScript.Echo()
WScript.Echo("Only " & intComputerCount & " computer account has not
been modified in the last" & _
"3 months.")
End If
Else
WScript.Echo()
WScript.Echo("All computer accounts in the domain have been modified in
the last 3 months.")
End If
----------------
END CODE

Thanks again for taking the time to respond, Robbie. I do appreciate it.
*8^)

Cordially yours,
Jerry G. Young II

"Robbie Allen" <ral...@cisco.com> wrote in message
news:Od697r4k...@tk2msftngp13.phx.gbl...

Jerry G. Young II

unread,
Oct 16, 2003, 4:23:02 AM10/16/03
to
Oops.

Need to set the initial value of intComputerCount to 0, not 1. Sorry about
that. *8^(

Cordially yours,
Jerry G. Young II

"Jerry G. Young II" <jerry...@savvis.nospam.net> wrote in message
news:urpp$G7kDH...@TK2MSFTNGP09.phx.gbl...

Guess Who

unread,
Oct 16, 2003, 4:42:06 AM10/16/03
to
But this script only tells which machines havent been changed for the past 3
months - it doesn't disabled or move them?

/MM


Jerry G. Young II

unread,
Oct 16, 2003, 6:47:18 PM10/16/03
to
All,

I've done some testing with both of these properties. There are differences
between the data contained in both. For one, it's a lot harder to
progamatically make sense of the pwdLastSet value


"Jerry G. Young II" <jerry...@savvis.nospam.net> wrote in message

news:%23POVe93...@TK2MSFTNGP10.phx.gbl...

Jerry G. Young II

unread,
Oct 16, 2003, 6:53:19 PM10/16/03
to
All,

I've done some testing with both of these properties. There are differences
between the data contained in both. For one, it's a lot harder to

progamatically make sense of the pwdLastSet value (thanks given to Richard
L. Mueller for his Integer8Date function and system time zone bias code
snippet). Still, the values for these two data do not match. I would have
thought that a password reset would be a modification of the computer
account but it doesn't appear quite that simple.

In any case, does anyone out there know concretely what the differences
are?

Cordially yours,
Jerry G. Young II

"Jerry G. Young II" <jerry...@savvis.nospam.net> wrote in message
news:%23POVe93...@TK2MSFTNGP10.phx.gbl...

Gurgen

unread,
Oct 16, 2003, 8:14:28 PM10/16/03
to
Actually the 7 day account password change is true for NT OS. For W2k and up the default password age is 30 days. Furthermore it
can be extended or disabled at all via policies. So the extra caution needs to be followed while gathering information about
password age.
As for the script, there is a convenient way to check the password age via ADSI interface bypassing "direct" directory database
access.

This will display all computers in a domain which have not changed password in the past 2 month:

=========== getinactive.vbs ============
TargetDomain = "Domain"
Set Container = GetObject("WinNT://" & TargetDomain)
Container.Filter = Array("Computer")
StartCount = 60

For Each Member In Container
cname = UCase(Member.Name)
Set Computer = GetObject("WinNT://" & _
TargetDomain & "/" & cname & "$,user")
passAge = Computer.Get("PasswordAge") \ 86400
If passAge > StartCount Then
lngFlags = Computer.Get("UserFlags")
If (lngFlags And &H1000) <> 0 Then
pclist = pclist & cname & "|workstation|inactive for " & _
passAge & " days" & vbCrLf
ElseIf (lngFlags And &H2000) <> 0 Then
pclist = pclist & cname & "|server|inactive for " & _
passAge & " days" & vbCrLf
End If
End If
Next
Wscript.Echo pclist
===================================

Regards,
Gurgen

"Jerry G. Young II" <jerry...@savvis.nospam.net> wrote in message news:%23POVe93...@TK2MSFTNGP10.phx.gbl...

Joe Richards [MVP]

unread,
Oct 19, 2003, 9:11:12 AM10/19/03
to
An account could be unused but still be getting changed by something so you will not necessarily be cleaning things up
well.

Another option would be to grab secdata from the free win32 tools page of www.joeware.net and run with the /computers
option. This will dump the output in a format that you can have a script parse out. Also you should find that it is
faster than using ADO for the same searches.

--
Joe Richards
www.joeware.net

--

"Jerry G. Young II" <jerry...@savvis.nospam.net> wrote in message news:urpp$G7kDH...@TK2MSFTNGP09.phx.gbl...

Mike Brierley

unread,
Nov 12, 2003, 12:18:05 PM11/12/03
to
Robbie,
I noticed that this is one of a few scripts you wrote where you don't
have a vbs alternative. What is the reason for this? I tried your
script with Active Perl and it dies on the ::DNS line.
Thanks for some wonderful scripts.

Mike

0 new messages