Determine Last Computer Account Password Change

[Jerry G. Young II]

All,

I'm looking for a means that will allow me to automate computer object
cleanup in Active Directory.

My thought was to write a script that checks the last time a computer
account's password has been changed (by default, computer accounts change
their password every 7 days) and if this date is more than a month ago to
disable the computer account. A secondary script would then check for
disabled computer accounts and delete them if a set of other conditions had
been met.

However, I haven't had any luck in finding a scriptable means to check the
last time a computer account's password has been changed.

If anyone knows, can you let me know? Or, if there is another scriptable
means to determine if a computer account is most likely no longer used, that
would be fine, too.

Thanks in advance.

Cordially yours,
Jerry G. Young II

 

[Robbie Allen]

Hi Jeremy,

Here is a script that can find and disable/delete inactive computers:
http://www.rallenhome.com/books/managingenterprisead/source/Ch11-Listing23_F
inding_Inactive_Computers.perl.txt

This script is a little more straightforward but requires Win Server 2003
AD:
http://www.rallenhome.com/books/adcookbook/src/08.08-find_inactive_computers
..pls.txt

Let me know if you have any questions.

Regards,
Robbie Allen
Author of "Active Directory Cookbook"
http://www.rallenhome.com/

 

[Jerry G. Young II]

Robbie,

Thanks for your input. *8^) I haven't managed to get around to Perl, yet,
though.

Between the Windows 2000 Scripting Guide and some archived messages from
Torgier, I was able to write a VBScript that can do this.

For anyone else who happens to be following this thread (this question has
been answered elsewhere, too), below is the script I wrote.

START CODE
----------------
'==========================================================================
'
' VBScript Source File
'
' NAME: EnumInactiveComputers.vbs
'
' AUTHOR: Jerry G. Young II, Savvis Communications ([email protected])
' DATE : 10/16/2003
'
' COMMENT:
'
'==========================================================================
Option Explicit
On Error Resume Next

Const ADS_SCOPE_SUBTREE = 2
Dim objRoot, strDomainDN
Dim objConnection, objCommand, objRecordSet
Dim intComputerCount

intComputerCount = 1

WScript.Echo("Today's date and time is: " & Now)
WScript.Echo()
WScript.Echo("The following computer accounts have not been modified in the
last 3 months:")

Set objRoot = GetObject("LDAP://RootDSE")
strDomainDN = objRoot.Get("DefaultNamingContext")

Set objConnection = CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")

objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"

Set objCommand.ActiveConnection = objConnection
objCommand.CommandText = "SELECT Name, distinguishedName, operatingSystem, "
& _
"operatingSystemServicePack, whenCreated,
whenChanged " & _
"FROM 'LDAP://" & strDomainDN & "' WHERE
objectClass='computer' " & _
"ORDER BY whenChanged"
objCommand.Properties("Page Size") = 1000
objCommand.Properties("Timeout") = 30
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
objCommand.Properties("Cache Results") = False

Set objRecordSet = objCommand.Execute
objRecordSet.MoveFirst
Do Until objRecordSet.EOF
If CDate(objRecordSet.Fields("whenChanged").Value) < DateAdd("m", -3, Now)
Then
intComputerCount = intComputerCount + 1
WScript.Echo(" " & objRecordSet.Fields("Name").Value & " - Last
Modified: " & _
objRecordSet.Fields("whenChanged").Value)
End If
objRecordSet.MoveNext
Loop

Set objRecordSet = Nothing
Set objCommand = Nothing
Set objConnection = Nothing
Set objRoot = Nothing

If intComputerCount > 0 Then
If intComputerCount > 1 Then
WScript.Echo()
WScript.Echo(intComputerCount & " computer accounts have not been
modified in the last 3 months.")
Else
WScript.Echo()
WScript.Echo("Only " & intComputerCount & " computer account has not
been modified in the last" & _
"3 months.")
End If
Else
WScript.Echo()
WScript.Echo("All computer accounts in the domain have been modified in
the last 3 months.")
End If
----------------
END CODE

Thanks again for taking the time to respond, Robbie. I do appreciate it.
*8^)

Cordially yours,
Jerry G. Young II

 

[Jerry G. Young II]

Oops.

Need to set the initial value of intComputerCount to 0, not 1. Sorry about
that. *8^(

Cordially yours,
Jerry G. Young II

 

[Guess Who]

But this script only tells which machines havent been changed for the past 3
months - it doesn't disabled or move them?

/MM

 

[Jerry G. Young II]

All,

I've done some testing with both of these properties. There are differences
between the data contained in both. For one, it's a lot harder to
progamatically make sense of the pwdLastSet value

 

[Jerry G. Young II]

All,

I've done some testing with both of these properties. There are differences
between the data contained in both. For one, it's a lot harder to
progamatically make sense of the pwdLastSet value (thanks given to Richard
L. Mueller for his Integer8Date function and system time zone bias code
snippet). Still, the values for these two data do not match. I would have
thought that a password reset would be a modification of the computer
account but it doesn't appear quite that simple.

In any case, does anyone out there know concretely what the differences
are?

Cordially yours,
Jerry G. Young II

 

[Gurgen]

Actually the 7 day account password change is true for NT OS. For W2k and up the default password age is 30 days. Furthermore it
can be extended or disabled at all via policies. So the extra caution needs to be followed while gathering information about
password age.
As for the script, there is a convenient way to check the password age via ADSI interface bypassing "direct" directory database
access.

This will display all computers in a domain which have not changed password in the past 2 month:

=========== getinactive.vbs ============
TargetDomain = "Domain"
Set Container = GetObject("WinNT://" & TargetDomain)
Container.Filter = Array("Computer")
StartCount = 60

For Each Member In Container
cname = UCase(Member.Name)
Set Computer = GetObject("WinNT://" & _
TargetDomain & "/" & cname & "$,user")
passAge = Computer.Get("PasswordAge") \ 86400
If passAge > StartCount Then
lngFlags = Computer.Get("UserFlags")
If (lngFlags And &H1000) <> 0 Then
pclist = pclist & cname & "|workstation|inactive for " & _
passAge & " days" & vbCrLf
ElseIf (lngFlags And &H2000) <> 0 Then
pclist = pclist & cname & "|server|inactive for " & _
passAge & " days" & vbCrLf
End If
End If
Next
Wscript.Echo pclist
===================================

Regards,
Gurgen

 

[Joe Richards [MVP]]

An account could be unused but still be getting changed by something so you will not necessarily be cleaning things up
well.

Another option would be to grab secdata from the free win32 tools page of www.joeware.net and run with the /computers
option. This will dump the output in a format that you can have a script parse out. Also you should find that it is
faster than using ADO for the same searches.