none
AD Version Changes RRS feed

  • Question

  • Hello,

    We have inactivation script which disables users not logged in for more than 90 days.

    it works fine if we run against ADVersion 2003, which looks only for LastLogintimestamp

    But I am testing to run the script against 2012 Domain Controllers, whose ADVersion is 69 , which doesn't disabled the users.

    Is anything wrong with Version or should be "WINDOWS 2012R2"?

    Option Explicit Const ADS_SCOPE_SUBTREE = 8 'How far down the tree you want to search Const ForAppending = 8 Dim objRootDSE, objNewOU, objMoveUser, objOldOU, objFSO Dim objConnection, objCommand, objRecordSet, strDeleteDays, strDatetxt, ObjDC Dim UserDN, ObjUser, strDNSDomain, strQuery, strOldOU, objArgs, ADS_UF_ACCOUNTDISABLE Dim objLogon, strWeeks, strDays, intLogonTime, objFromOU, objToOU, strDeleteQuery Dim intLLTS, intReqCompare, ADVersion, intUAC, Uglyinfo, MoreUgly, intReqDeleteCompare, objTextFile 'ADVersion = "2003" 'ADVersion = "2000" ADVersion = "69" ' Gather the information from the arguments in the commandline. strDays = 90 strDeleteDays = 180 strDatetxt = "E:\Files\ADScripts\APuserremove.txt" Set objFSO = CreateObject("Scripting.FileSystemObject") Set objTextFile = objFSO.OpenTextFile (strDatetxt, ForAppending, True) Set objArgs = WScript.Arguments objFromOU = WScript.Arguments(0) & ",dc=XX,dc=com" 'What Domain and OU are you pulling from 'objToOU = WScript.Arguments(1) & ",dc=XX,dc=com" 'Where is your Retired OU. ##comment this objDC = WScript.Arguments(1) '## change index to 1 from 2 'Set objNewOU = GetObject("LDAP://" & objToOU) '##comment this ' Use ADO to search Active Directory for all Users Set objConnection = CreateObject("ADODB.Connection") Set objCommand = CreateObject("ADODB.Command") objConnection.Provider = "ADsDSOObject" objConnection.Open "Active Directory Provider" Set objCommand.ActiveConnection = objConnection objCommand.Properties("Page Size") = 1000 objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE '-------------------- Begin Move Section ------------------------------- On Error Resume Next strQuery = "SELECT distinguishedName FROM 'LDAP://" & objDC & "/" & objFromOU & "' WHERE objectCategory = 'User'" 'strQuery = "SELECT distinguishedName,lastlogontimestamp FROM 'LDAP://" & objFromOU & "' WHERE objectCategory = 'User'" objCommand.CommandText = strQuery Set objRecordSet = objCommand.Execute objTextFile.WriteLine("These Users have been disabled" & objFromOU) objRecordSet.MoveFirst Do Until objRecordSet.EOF UserDN = objRecordSet.Fields("distinguishedName").Value Set ObjUser = GetObject("LDAP://" & UserDN) ' Begin calculation If ADVersion = "69" Then Set objLogon = ObjUser.Get("lastlogonTimeStamp") Else set objLogon = ObjUser.Get("lastLogon") End If intLogonTime = objLogon.HighPart * (2^32) + objLogon.LowPart intLogonTime = intLogonTime / (60 * 10000000) intLogonTime = intLogonTime / 1440 intLLTS = intLogonTime + #1/1/1601# intReqCompare = Now - strDays If intLLTS < intReqCompare Then Uglyinfo = ObjUser.cn MoreUgly = ObjUser.distinguishedName objTextFile.WriteLine(ObjUser.distinguishedName & " last logged on at " & intLLTS) intUAC = ObjUser.Get("userAccountControl") ObjUser.Put "userAccountControl", intUAC OR ADS_UF_ACCOUNTDISABLE ObjUser.AccountDisabled = True ObjUser.SetInfo ' Set objMoveUser = objNewOU.MoveHere ("LDAP://" & MoreUgly, "cn=" & Uglyinfo) End If objRecordSet.MoveNext Loop objTextFile.WriteLine '-------------------- End Move Section -------------------------------



    Thanks HA

    Tuesday, November 29, 2016 1:38 PM

Answers

  • A few comments:

    • I see no reason to use "On Error Resume Next". This just hides problems.
    • The constant ADS_UF_ACCOUNTDISABLE needs to be defined (2).
    • There is no reason to use the variable ADVersion, since the value is hard coded.
    • As long as the domain functional level is at least Windows Server 2003, you can use lastLogonTimestamp.
    • If you had to use lastLogon, you would need to query every DC in the domain and track the largest value for each user.
    • Your query will retrieve both user and contact objects. Contact objects do not have the lastLogonTimestamp or userAccountControl attributes. You want objectCategory = "person" and objectClass = "user".

    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Tuesday, November 29, 2016 3:35 PM
    Moderator

All replies

  • I would recommend simplifying things for yourself and just use PowerShell's Active Directory module. The Search-ADAccount cmdlet with the -PasswordExpired parameter is the one you want.

    -- Bill Stewart [Bill_Stewart]

    Tuesday, November 29, 2016 3:32 PM
    Moderator
  • A few comments:

    • I see no reason to use "On Error Resume Next". This just hides problems.
    • The constant ADS_UF_ACCOUNTDISABLE needs to be defined (2).
    • There is no reason to use the variable ADVersion, since the value is hard coded.
    • As long as the domain functional level is at least Windows Server 2003, you can use lastLogonTimestamp.
    • If you had to use lastLogon, you would need to query every DC in the domain and track the largest value for each user.
    • Your query will retrieve both user and contact objects. Contact objects do not have the lastLogonTimestamp or userAccountControl attributes. You want objectCategory = "person" and objectClass = "user".

    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Tuesday, November 29, 2016 3:35 PM
    Moderator