Auditing Active Directory
Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: Auditing Active Directory

  1. #1

    Auditing Active Directory

    Ok guys, got a little challenge here...

    Let's say you have a large company with maybe a couple, several hundred laptops and workstations. Given the following factors:

    1) Some abroad connecting via VPN, some local in-house.
    2) All on the same domain.

    The IT dept. has been through several techs over the past few years, and many computers have been removed, renamed, replaced, or added. As a result, you have an Active Directory structure that potentially still lists among its numbers computer names that no longer actually exist.

    So now you have to audit AD and figure out the following:

    1) Which computer names are still active?
    2) Which computer names belong to computers that no longer exist, and therefore should be deleted?
    3) Which users are on which computers?

    That's more or less the situation I'm facing. Obviously I can't eyeball-audit every computer since some are abroad across the hemisphere. Note most computers in AD have usernames attached to them in the description, so the unidentified mystery computer names add up to a handful (thankfully).

    So I need to figure out first, does the computer still exist, and second, who does it belong to?

    Any thoughts?

  2. #2
    Senior Member
    Join Date
    Dec 2007
    A couple years ago, a friend of mine had the same problem. He just wrote a batch file to log the computername and username and append it to a file local on the server, and added that to the login scripts for all the users and let it run for a few weeks.

  3. #3
    I'm reading that you can basically do the same kinda thing via Group Policy...haven't played with it yet.

    Of course the above mentioned script/group policy takes potentially a few weeks of time, I'm assuming, given you have to wait until everyone eventually logs onto their computer, factoring in those off on vacation, travelling, etc.

    I was thinking more down the lines of a same-day solution, a way I could just pull up info on if it's been on the network lately and who logs on it frequently, but in hindsight as I research that's obviously a bit far-fetched. We've got an Altiris server that pulls some pretty good info of that nature, but I'm finding even it is incomplete in some cases.

    Ah well...

  4. #4
    Priapistic Monk KorpDeath's Avatar
    Join Date
    Dec 2001
    Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
    - Samuel Johnson

  5. #5
    Thanks guys.

    I decided on a plan of action that the boss agreed with -- Basically checking Altiris Deployment Server to see if it detects the unaccounted for computer names. For those it does not, I'm just marking them "unknown", then going to watch for a while to see if they crop up. If not, off they go. Basically it's just the result of some poor housekeeping here and there...there have been just a few improperly named machines or ones removed without ever nixing them from AD.
    Last edited by AngelicKnight; January 9th, 2008 at 12:05 AM.

  6. #6
    Senior Member WolfeTone's Avatar
    Join Date
    Jun 2007
    Have you got an Anti-Virus Server that pushes out updates to clients?
    If you see ones that have not been contactable in a while, start with those.

  7. #7
    Ooooooh good idea, I hadn't thought of that!

  8. #8
    AOs Resident Troll
    Join Date
    Nov 2003
    3,152 could just start disabling all accounts...and when they call and whine and complain you reenable as needed

    How people treat you is their karma- how you react is yours-Wayne Dyer

  9. #9
    Some Assembly Required ShagDevil's Avatar
    Join Date
    Nov 2002
    New Jersey
    If you're not afraid of a small .vbs script, I'd suggest going Here

    This is what I did and it works quite well for me.
    Downloaded LastLogon.txt (saved it locally as LastLogon.vbs)

    Opened a command prompt.
    Navigated to the local directory where I saved LastLogon.vbs.
    Ran this: cscript //nologo LastLogon.vbs > output.txt
    (cscript is a command line tool that comes with Windows & the command syntax is on the website I gave you already)

    The output.txt file appeared in same directory as LastLogon.vbs. But, I noticed it shows users in the output file, not computers. So I changed the LastLogon.vbs.

    I right clicked on LastLogin.vbs, selected edit.
    Did a find on "objectCategory="

    I changed:
    strFilter = "(&(objectCategory=person)(objectClass=user))"
    strFilter = "(&(objectCategory=computer))"

    Save and rerun via the command prompt. You only have to edit the .vbs file once. From there on in, you just have to run it and it will produce that same report. Seems to work well so far. While the dates aren't entirely accurate to the day, you can still get a very good idea of which systems are stale on your LAN.

    Just figured out how to make this thing even easier. Open up notepad, paste this in (from above): cscript //nologo LastLogon.vbs > output.txt and then save it as a .bat file in the same directory. done. The whole process is now a simple click and it generates a report.
    Last edited by ShagDevil; January 10th, 2008 at 07:00 PM.
    The object of war is not to die for your country but to make the other bastard die for his - George Patton

  10. #10
    Senior Member
    Join Date
    Oct 2003
    You can try using Winfo, its a pretty great tool but it doesnt always work depending on the security settings on the computer.

Similar Threads

  1. Windows Error Messages
    By cheyenne1212 in forum Miscellaneous Security Discussions
    Replies: 7
    Last Post: February 1st, 2012, 02:51 PM
  2. Port List
    By ThePreacher in forum Miscellaneous Security Discussions
    Replies: 17
    Last Post: December 14th, 2006, 09:37 PM
  3. The history of the Mac line of Operating systems
    By gore in forum Operating Systems
    Replies: 3
    Last Post: March 7th, 2004, 08:02 AM
  4. Tcp/ip
    By gore in forum Newbie Security Questions
    Replies: 11
    Last Post: December 29th, 2003, 08:01 AM
  5. Stack Overflow in Active Directory
    By thehorse13 in forum Microsoft Security Discussions
    Replies: 2
    Last Post: July 2nd, 2003, 11:46 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts