Pau Lo
asked on
AD reports
A few more questions for you AD gurus if I may:
1) Is there any setting against an AD account to determine whether it can interactively login or it can’t, if so how can you run a report of which accounts can login, and which cant?
2) Do expired accounts, i.e. those only set up for say 1 month for a temp member of staff, have any symbol by them in AD users and computers, or if not…. how can you identify which accounts are expired (but not disabled). Or if you put a date in account expires, when that date comes around, does it automatically go into “disabled”? I need an accurate list of which accounts are “active”, and which are disabled/expired. And some insight into the difference between expired and disabled.
3) Are there any tools to run a report, for all accounts with non-expiring passwords ONLY, to list the following fields (login name, date of last login, account created date, date password last set)?
1) Is there any setting against an AD account to determine whether it can interactively login or it can’t, if so how can you run a report of which accounts can login, and which cant?
2) Do expired accounts, i.e. those only set up for say 1 month for a temp member of staff, have any symbol by them in AD users and computers, or if not…. how can you identify which accounts are expired (but not disabled). Or if you put a date in account expires, when that date comes around, does it automatically go into “disabled”? I need an accurate list of which accounts are “active”, and which are disabled/expired. And some insight into the difference between expired and disabled.
3) Are there any tools to run a report, for all accounts with non-expiring passwords ONLY, to list the following fields (login name, date of last login, account created date, date password last set)?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Please try this software this will help ADManager Plus, ADAudit Plus. Through this you can manage your complete AD.
Download link is below.
AD Manager.
(http://www.manageengine.com/products/ad-manager/index.html)
AD Audit plus.
http://www.manageengine.com/products/active-directory-audit/index.html
Download link is below.
AD Manager.
(http://www.manageengine.com/products/ad-manager/index.html)
AD Audit plus.
http://www.manageengine.com/products/active-directory-audit/index.html
ASKER
There not free though, so if a free tool can do the same I'll go with the freebie
Yes, we can try to address that over dsquery and if it would not work then you will decide if you wish to use ADInfo or PowerShell.
Just give me a second to prepare a syntax for you
Krzysztof
Just give me a second to prepare a syntax for you
Krzysztof
So, to see user account expiration use
for disabled accounts
for enabled accounts
Krzysztof
dsquery user -name * -limit 0 | dsget user -samid -fn -ln -acctexpires >>c:\expires.txt
for disabled accounts
dsquery * -filter "(&(objectClass=user)(objectCategory=person)(userAccountControl:1.2.840.113556.1.4.803:=2))" -attr sAMAccountName givenName sn >>c:\disabled.txt
for enabled accounts
dsquery * -filter "(&(objectClass=user)(objectCategory=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))" -attr sAMAccountName givenName sn >>c:\enabled.txt
Krzysztof
ASKER
Is there anyway for 1 single report, to output all accounts with non expiring passwords, and just list login name, date of last login, account created date, date password last set per account
With DSQUERY no :/ it's limited tool and not support output in human readable format for date/time format :)
However, if you wish, we may try to create single report but you need to use another tools to convert date and time
Krzysztof
However, if you wish, we may try to create single report but you need to use another tools to convert date and time
Krzysztof
ASKER
Is there no way to do it in AD users and comps?
You can use saved queries but output would not be ideal because many attributes won't be displayed.
For that you should use PowerShell which allows for that in much more easy steps
Krzysztof
For that you should use PowerShell which allows for that in much more easy steps
Krzysztof
ASKER
Do you have an example powershell?
I would prepare an example in Quest PowerShell module for AD.
Just a second please
Krzysztof
Just a second please
Krzysztof
Try that using free Quest PowerShell
http://www.quest.com/powershell/activeroles-server.aspx
Krzysztof
http://www.quest.com/powershell/activeroles-server.aspx
Get-QADUser * -SizeLimit 0 | Select SamAccountName,FirstName,LastName,whenCreated,PasswordNeverExpires,LastLogonTimestamp,PasswordLastSet | Export-CSV c:\report.csv
Krzysztof
Does it work as you expected ?
Krzysztof
Krzysztof
ASKER
Dont have admin rights to install that tool unfortunately :(
It does not have to be installed on a DC. You may simply run it from your domain member workstation :)
However, if it is still not possible, we can try with DSQUERY
Krzysztof
However, if it is still not possible, we can try with DSQUERY
Krzysztof
ASKER
Yeah only have a workstation to work with so if DSquery can do it can we try that first.
OK, let try with DSQUERY
Run this code, please
all those strange values from output (numbers) you can convert to human readable format using w32tm command
i.e.
for more details about that, please check an article on my blog for lastLogon vs lastLogonTimestamp attributes at
http://kpytko.wordpress.com/2012/07/30/lastlogon-vs-lastlogontimestamp/
Krzysztof
Run this code, please
dsquery * -filter "(&(objectClass=user)(objectCategory=person)(userAccountControl:1.2.840.113556.1.4.803:=65536))" -limit 0 -attr sAMAccountName givenName sn whenCreated lastLogonTimestamp pwdLastSet >>c:\neverexpires.txt
dsquery * -filter "(&(objectClass=user)(objectCategory=person)(!(userAccountControl:1.2.840.113556.1.4.803:=65536)))" -limit 0 -attr sAMAccountName givenName sn whenCreated lastLogonTimestamp pwdLastSet >>c:\pwdexpires.txt
all those strange values from output (numbers) you can convert to human readable format using w32tm command
i.e.
w32tm /ntte NUMBER_INT_64
for more details about that, please check an article on my blog for lastLogon vs lastLogonTimestamp attributes at
http://kpytko.wordpress.com/2012/07/30/lastlogon-vs-lastlogontimestamp/
Krzysztof
ASKER
Cheers do I need to put the no limit thing on as there are quite a few expected results
Hey,
I have added -limit 0 to each syntax to get all objects to be querying. By default it is only 100 displayed.
If you expect to get less than 100 results, you can simply skip -limit 0 switch in each command
Krzysztof
I have added -limit 0 to each syntax to get all objects to be querying. By default it is only 100 displayed.
If you expect to get less than 100 results, you can simply skip -limit 0 switch in each command
Krzysztof
ASKER
Would there be anyway to format all the dates in one go?
We can try to use the output file and import it to excel then copy whole column where only numbers are stored and then use loop to convert them.
If you wish, you may send the output files to my e-mail: kpytko at go2 dot pl
and I will conevrt it for you and then describe a syntax here (it would be much more easy way :) )
Krzysztof
If you wish, you may send the output files to my e-mail: kpytko at go2 dot pl
and I will conevrt it for you and then describe a syntax here (it would be much more easy way :) )
Krzysztof
ASKER
Hmmm probs shouldnt send external account names are a potential security issue - thats not insinuating anything, just that I should be careful. I will thank you for your help and give points at this stage.
So, just send me a fake file with some lastLogonTimeStamp values and I will show you general rule for that :)
Krzysztof
Krzysztof
ASKER