none
Depurar el Active Directory RRS feed

  • Pregunta

  • Buen dia,

     

    quiero depurar mi Directorio Activo

    alguien me puede decir como saco una lista de los usuarios que no se han logeado en x cantidad de dias

     

    tambien como saco una lista de las cuentas que estan Locked out

     

     

    Saludos y gracias por sus respuestas.

    jueves, 30 de octubre de 2008 19:25

Respuestas

  • Lo puedes hacer con un query http://support.microsoft.com/kb/555131

    O mediante scripting

    Code Snippet

    Dim objRootDSE, strDNSDomain, objShell, lngBiasKey, lngBias, k
    Dim objDomain, objDuration, lngHigh, lngLow, lngDuration
    Dim adoCommand, adoConnection, adoRecordset
    Dim strBase, strFilter, strAttributes, strQuery
    Dim strUserDN, dtmLockOut
    Dim lngSeconds, str64Bit

    ' Retrieve DNS domain name.
    Set objRootDSE = GetObject("LDAP://RootDSE")
    strDNSDomain = objRootDSE.Get("defaultNamingContext")

    ' Obtain local Time Zone bias from local machine registry.
    Set objShell = CreateObject("Wscript.Shell")
    lngBiasKey = objShell.RegRead("HKLM\System\CurrentControlSet\Co ntrol\" _
    & "TimeZoneInformation\ActiveTimeBias")
    If (UCase(TypeName(lngBiasKey)) = "LONG") Then
    lngBias = lngBiasKey
    ElseIf (UCase(TypeName(lngBiasKey)) = "VARIANT()") Then
    lngBias = 0
    For k = 0 To UBound(lngBiasKey)
    lngBias = lngBias + (lngBiasKey(k) * 256^k)
    Next
    End If
    Set objShell = Nothing

    ' Bind to domain.
    Set objDomain = GetObject("LDAP://" & strDNSDomain)

    ' Retrieve domain lockoutDuration policy in minutes.
    Set objDuration = objDomain.lockoutDuration
    lngHigh = objDuration.HighPart
    lngLow = objDuration.LowPart
    If (lngLow < 0) Then
    lngHigh = lngHigh + 1
    End If
    lngDuration = lngHigh * (2^32) + lngLow
    lngDuration = -lngDuration/(60 * 10000000)
    Set objDomain = Nothing

    ' Determine lockout time in the past that would just
    ' have expired. Accounts locked out since this time would
    ' still be locked out.
    dtmLockout = DateAdd("n", -lngDuration, Now())

    ' Convert to UTC.
    dtmLockout = DateAdd("n", lngBias, dtmLockout)

    ' Find number of seconds since 1/1/1601.
    lngSeconds = DateDiff("s", #1/1/1601#, dtmLockout)

    ' Convert to 100-nanosecond intervals. This is the
    ' equivalent Integer8 value.
    str64Bit = CStr(lngSeconds) & "0000000"

    ' Use ADO to search Active Directory.
    Set adoCommand = CreateObject("ADODB.Command")
    Set adoConnection = CreateObject("ADODB.Connection")
    adoConnection.Provider = "ADsDSOObject"
    adoConnection.Open = "Active Directory Provider"
    adoCommand.ActiveConnection = adoConnection

    ' Search entire domain.
    strBase = "<LDAP://" & strDNSDomain & ">"
    ' Filter on all user objects that are locked out.
    strFilter = "(&(objectCategory=person)(objClass=user)(lockoutT ime>=" _
    & str64Bit & "))"
    ' Comma delimited list of attribute values to retrieve.
    strAttributes = "distinguishedName"
    ' Construct the LDAP syntax query.
    strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"

    ' Run the query.
    adoCommand.CommandText = strQuery
    adoCommand.Properties("Page Size") = 100
    adoCommand.Properties("Timeout") = 60
    adoCommand.Properties("Cache Results") = False

    Set adoRecordset = adoCommand.Execute

    ' Enumerate the resulting recordset.
    Wscript.Echo "Locked out users:"
    Do Until adoRecordset.EOF
    strUserDN = adoRecordset.Fields("distinguishedName").Value
    Wscript.Echo strUserDN
    adoRecordset.MoveNext
    Loop
    adoRecordset.Close
    adoConnection.Close


    El script es obtenido del site de Richard Mueller, MVP de Scripting
    sábado, 1 de noviembre de 2008 15:43