Solved

Disabling Computer Accounts

Posted on 2004-04-26
11
661 Views
Last Modified: 2008-03-04
I am trying to create a script that will disable computer accounts after 7 days if the user has not logged into their machine for that period of time. I would also like to delete computer accounts that have been disabled for more then 90 days.

This is in a Windows 2000 envirnment.
0
Comment
Question by:Javier_G
  • 5
  • 5
11 Comments
 
LVL 3

Expert Comment

by:Orbsol
Comment Utility
I take it you mean in ADSI and not some other scripting language?

Here is one I have used before, and it works well.

*****
It reads from an input file ( DCList.txt ) in which you manually insert the
names
of your domain controllers so that their accounts will not be deleted. It
then
removes all machine accounts that have not changed their password in the
last 90
days, then writes
the results to an output file ( InactivePCs.txt )

The line  'Call objDomain.Delete("Computer", objComp.Name)  has been
commented out
so that you may test the script first without actually deleting accounts.

Take the following steps to use the script.

1. Create the DCList.txt and InactivePCs.txt files in C:\Temp ( create
this
folder if it does not exist) on the PDC Emulator for the domain.
2. Populate the DCList.txt file with the names of the domain controllers.
3. Rename the strDomain variable from "MyDomain" to the name of the
domain.
4. Possibly edit the IntAccountAge variable to reflect that of how long
you would
like the maximum time that a computer account password has NOT changed
5. Rename the following script to .vbs and run on the PDC Emulator.



<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
<>
*** Resolution ***



Const ForReading = 1
Const ForWriting = 2
Dim objFSO, objCompFile, objDCFile, objDomain, objComp, objNTComp
Dim strCompFile, strDCFile
Dim strDomain, strDCList Dim intSecInADay, intAccountAge

strCompFile = "C:\Temp\InactivePCs.txt"
strDCFile = "C:\Temp\DCList.txt"
strDomain = "MyDomain"

Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objCompFile = objFSO.OpenTextFile(strCompFile, ForWriting, TRUE)
Set objDCFile = objFSO.OpenTextFile(strDCFile, ForReading)
Set objDomain = GetObject("WinNT://" & strDomain)
objDomain.Filter = Array("Computer")
strDCList = objDCFile.ReadAll()
intSecInADay = 60 * 60 * 24
intAccountAge = 90

For Each objComp In objDomain
Set objNTComp = GetObject("WinNT://" & strDomain & "/" & objComp.Name &
"$")
If (objNTComp.PasswordAge > intSecInADay * intAccountAge) Then
If InStr(1, strDCList, objComp.Name, vbTextCompare) = 0 Then
'Call objDomain.Delete("Computer", objComp.Name)
objCompFile.Writeline objNTComp.Name & "-- computer account has
been
deleted"
End If
End If
Next
0
 
LVL 3

Expert Comment

by:Orbsol
Comment Utility
Oops, sorry about the line wraps.
0
 
LVL 2

Expert Comment

by:5t0rmUK
Comment Utility
I agree with Orbsol this solution would work very well.

Nice bit of code m8 ;-)
0
 

Author Comment

by:Javier_G
Comment Utility
I was able to run the script but it marks all my machines as being disabled. I am doing something wrong? Also, is there a way to specify a specific OU? Ex: Domain\OU
0
 

Author Comment

by:Javier_G
Comment Utility
Sorry "deleted" not disabled
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 3

Expert Comment

by:Orbsol
Comment Utility
The script deleted all your machines? Did you uncomment the "Call objDomain.Delete" function. There is noy way it will deleted all your machines of you edit correctly.

Yes you can access a single ou. I guess you are not too familiar with ADSI? You need to call GetObj() using the LDAP provider. Like GetObject("LDAP://ServerName.CompanyName.Com/OU=MyDept")

To be honest it would be too hard for me to go too deeply into it here. You might try a primer like...http://www.serverwatch.com/tutorials/article.php/1548191 to get you started.

Jon


0
 

Author Comment

by:Javier_G
Comment Utility
Nothing was actually deleted but the log that is created displays every computer in my domain to be deleted. It shouldn't be displaying all computers so I was just wondering if there was something on my DC that I had to set as far as password changes.

Can you tell me where I can put that getObject command into the VB script?

0
 
LVL 3

Expert Comment

by:Orbsol
Comment Utility
I take it then you don't have a policy in place? If not, this script is no good to you as it assumes you are forcing passwords to be changed. The following script will list all users and when they last logged in.

On Error Resume Next
Dim Container
Dim ContainerName
Dim User
Dim File
Set FSO = Wscript.CreateObject("Scripting.FileSystemObject")
Set File = FSO.CreateTextFile("AllLastLogin.txt")
ContainerName = "Your Domain Here"
Set Container = GetObject("WinNT://" & ContainerName)
Container.Filter = Array("User")
For Each User in Container
  Wscript.Echo User.name & " " & User.LastLogin
  FILE.Writeline User.name & " Last logged on " & User.LastLogin
Next

If scripts aren't your thing, maybe you should consider some thing like this...http://download.com.com/3000-2651_4-10279602.html

Jon
0
 

Author Comment

by:Javier_G
Comment Utility
What I need is a complete answer to complete this process. I do not know much about scripting or ADSI but I would like to learn. I do not completely understand the process of  computer account passwords being reset therefore I am not sure what I would have to set up before I can have the script from above work correctly.
0
 
LVL 3

Accepted Solution

by:
Orbsol earned 500 total points
Comment Utility
Firstly, my apologies for the delay in replying.

When a computer becomes a member of a domain, its name is registered with the primary domain controller with the trailing "$". This also becomes its initial password. Based on this password, Windows establishes a "secure channel", used for encrypting communication between a domain member and domain controllers. This password gets reset (typically within 10 minutes) by Netlogon service, which, from this point on, changes it, by default, every 7 days.

If your output file from the first script is listing all your machines, then either you have got the script worng some how, no user has logged on to your domain on those PC's or the account passowrd resetting has been disabled. This is done by modifying the registry entry RefusePasswordChange of the type REG_DWORD to 1 within the key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters on all of the domain controllers in the domain.

Other than that, I cannot really suggest anything further without actually seeing your network.

Jon
0
 

Author Comment

by:Javier_G
Comment Utility
Thank you very much for getting back to me. It works beautifully! As I said before I am trying to specify a certain OU but I must be doing something wrong. Would b you be able to look over what I did and possibly suggest a solution? Thank you for all your help.

Const ForReading = 1
Const ForWriting = 2
Dim objFSO, objCompFile, objDCFile, objDomain, objComp, objNTComp
Dim strCompFile, strDCFile
Dim strDomain, strDCList
Dim intSecInADay, intAccountAge

strCompFile = "C:\Temp\InactivePCs.txt"
strDCFile = "C:\Temp\DCList.txt"
strDomain = "test.org"

Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objCompFile = objFSO.OpenTextFile(strCompFile, ForWriting, TRUE)
Set objDCFile = objFSO.OpenTextFile(strDCFile, ForReading)
Set objDomain = GetObject("LDAP://server.test.org/OU=Computers,OU=State,DC=test,DC=org")
objDomain.Filter = Array("Computer")
strDCList = objDCFile.ReadAll()
intSecInADay = 60 * 60 * 24
intAccountAge = 90

For Each objComp In objDomain
Set objNTComp = GetObject("WinNT://" & strDomain & "/" & objComp.Name & "$")
If (objNTComp.PasswordAge > intSecInADay * intAccountAge) Then
If InStr(1, strDCList, objComp.Name, vbTextCompare) = 0 Then
'Call objDomain.Disable("Computer", objComp.Name)
objCompFile.Writeline objNTComp.Name & "-- computer account has been deleted"
End If
End If
Next
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Some time ago I was asked to set up a web portal PC to put at our entrance. When customers arrive, they could see a webpage 'promoting' our company. So I tried to set up a windows 7 PC as a kiosk PC.......... I will spare you all the annoyances I…
Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now