January 8th, 2008, 09:33 PM
Auditing Active Directory
Ok guys, got a little challenge here...
Let's say you have a large company with maybe a couple, several hundred laptops and workstations. Given the following factors:
1) Some abroad connecting via VPN, some local in-house.
2) All on the same domain.
The IT dept. has been through several techs over the past few years, and many computers have been removed, renamed, replaced, or added. As a result, you have an Active Directory structure that potentially still lists among its numbers computer names that no longer actually exist.
So now you have to audit AD and figure out the following:
1) Which computer names are still active?
2) Which computer names belong to computers that no longer exist, and therefore should be deleted?
3) Which users are on which computers?
That's more or less the situation I'm facing. Obviously I can't eyeball-audit every computer since some are abroad across the hemisphere. Note most computers in AD have usernames attached to them in the description, so the unidentified mystery computer names add up to a handful (thankfully).
So I need to figure out first, does the computer still exist, and second, who does it belong to?
January 8th, 2008, 09:50 PM
A couple years ago, a friend of mine had the same problem. He just wrote a batch file to log the computername and username and append it to a file local on the server, and added that to the login scripts for all the users and let it run for a few weeks.
January 8th, 2008, 10:10 PM
I'm reading that you can basically do the same kinda thing via Group Policy...haven't played with it yet.
Of course the above mentioned script/group policy takes potentially a few weeks of time, I'm assuming, given you have to wait until everyone eventually logs onto their computer, factoring in those off on vacation, travelling, etc.
I was thinking more down the lines of a same-day solution, a way I could just pull up info on if it's been on the network lately and who logs on it frequently, but in hindsight as I research that's obviously a bit far-fetched. We've got an Altiris server that pulls some pretty good info of that nature, but I'm finding even it is incomplete in some cases.
January 8th, 2008, 10:23 PM
Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
- Samuel Johnson
January 8th, 2008, 11:01 PM
I decided on a plan of action that the boss agreed with -- Basically checking Altiris Deployment Server to see if it detects the unaccounted for computer names. For those it does not, I'm just marking them "unknown", then going to watch for a while to see if they crop up. If not, off they go. Basically it's just the result of some poor housekeeping here and there...there have been just a few improperly named machines or ones removed without ever nixing them from AD.
Last edited by AngelicKnight; January 8th, 2008 at 11:05 PM.
January 9th, 2008, 04:01 PM
Have you got an Anti-Virus Server that pushes out updates to clients?
If you see ones that have not been contactable in a while, start with those.
January 9th, 2008, 04:01 PM
Ooooooh good idea, I hadn't thought of that!
January 9th, 2008, 04:15 PM
or...you could just start disabling all accounts...and when they call and whine and complain you reenable as needed
How people treat you is their karma- how you react is yours-Wayne Dyer
January 9th, 2008, 09:45 PM
If you're not afraid of a small .vbs script, I'd suggest going Here
This is what I did and it works quite well for me.
Downloaded LastLogon.txt (saved it locally as LastLogon.vbs)
Opened a command prompt.
Navigated to the local directory where I saved LastLogon.vbs.
Ran this: cscript //nologo LastLogon.vbs > output.txt
(cscript is a command line tool that comes with Windows & the command syntax is on the website I gave you already)
The output.txt file appeared in same directory as LastLogon.vbs. But, I noticed it shows users in the output file, not computers. So I changed the LastLogon.vbs.
I right clicked on LastLogin.vbs, selected edit.
Did a find on "objectCategory="
strFilter = "(&(objectCategory=person)(objectClass=user))"
strFilter = "(&(objectCategory=computer))"
Save and rerun via the command prompt. You only have to edit the .vbs file once. From there on in, you just have to run it and it will produce that same report. Seems to work well so far. While the dates aren't entirely accurate to the day, you can still get a very good idea of which systems are stale on your LAN.
Just figured out how to make this thing even easier. Open up notepad, paste this in (from above): cscript //nologo LastLogon.vbs > output.txt and then save it as a .bat file in the same directory. done. The whole process is now a simple click and it generates a report.
Last edited by ShagDevil; January 10th, 2008 at 06:00 PM.
The object of war is not to die for your country but to make the other bastard die for his - George Patton
January 10th, 2008, 03:16 AM
You can try using Winfo, its a pretty great tool but it doesnt always work depending on the security settings on the computer.
By cheyenne1212 in forum Miscellaneous Security Discussions
Last Post: February 1st, 2012, 01:51 PM
By ThePreacher in forum Miscellaneous Security Discussions
Last Post: December 14th, 2006, 08:37 PM
By gore in forum Operating Systems
Last Post: March 7th, 2004, 07:02 AM
By gore in forum Newbie Security Questions
Last Post: December 29th, 2003, 07:01 AM
By thehorse13 in forum Microsoft Security Discussions
Last Post: July 2nd, 2003, 10:46 PM