If you need to know when was the last password change made by a user member of an Active Directory domain, you can simply use the following PowerShell instructions:
- on a Windows 7 client or Windows 2008, Windows 2008R2 server which are member of the Active Directory domain that belong the user you want to analyze, open PowerShell Console and at the prompt write:
Get-ADUser ‘UserName’ -properties PasswordLastSet | Format-List
- for example:
Get-ADUser ‘tani.alessandro’ -properties PasswordLastSet | Format-List
In the field PasswordLastSet you can find date of last password change.
Not always a computer is removed from Active Directory when it is decommissioned. The result is that after a while of time, the contents of Active Directory is no longer aligned with the state of company. To find inactive computers that are still present in Active Directory, you can use different techniques.
If the Active Directory functional level is set to Windows 2003 or higher, then you can use the command dsquery.exe This command is present on all Domain Controllers, or on all Windows 7 workstations.
The following query will locate all inactive computers in the current forest:
dsquery computer forestroot -inactive <NumWeeks>
Where <NumWeeks> indicates the number of weeks of inactivity (i.e 84 days = 12 weeks, 175 days = 25 weeks).
You can also use domainroot in combination with the -d option to query a specific domain:
dsquery computer domainroot -d <DomainName> -inactive <NumWeeks>
dsquery computer domainroot -d homeworks.it -inactive 25
You can target your query at a specific container (i.e. ou=MyComputers,dc=homeworks,dc=it):
dsquery computer ou=MyComputers,dc=homeworks,dc=it -inactive <NumWeeks>
All commands dsquery.exe cited, should be executed by Command Prompt of a workstation that is part of Active Directory domain. The user running the command must be part, at least, of the Domain Users group in Active Directory.
If the domain functional level of Active Directory is not set to Windows 2003 or higher, you can use the command OldCmp.exe written by Joeware. By default, the command OldCmp.exe research workstations that are not connected to an Active Directory domain for more than 90 days.
To get the list of workstations that do not connect to the domain for more than 90 days in HTML format, just run the command (the list is sorted by Computer Name):
oldcmp -report -sort cn
To get the same list in CSV format, you should run the command:
oldcmp -report -format csv -sort cn
To get list of workstations that do not connect to a domain for more than 180 days, just run the command:
oldcmp -report -age 180 -sort cn
All commands OldCmp.exe cited, should be executed by Command Prompt of a station that is part of Active Directory domain. The user running the command must be part, at least, of the Domain Users group in Active Directory.
In Active Directory domains whose functional level is set to Windows 2003 or later, the attribute lastLogonTimestamp of Active Directory, is used to know when was the last process of authenticating of a computer. lastLogonTimestamp attribute is replicated among all Domain Controllers. To see if the attribute lastLogonTimestamp is aligned on all Domain Controllers in the domain, you can run the command:
repadmin /showattr * <Distinguish_Name_of_Active_Directory_Domain> /subtree /filter:"((&(lastLogontimeStamp=*)(objectClass=computer)))" /attrs:lastLogontimeStamp > lastLogontimeStamp.txt
repadmin /showattr * dc=homeworks,dc=it /subtree /filter:"((&(lastLogontimeStamp=*)(objectClass=computer)))" /attrs:lastLogontimeStamp > lastLogontimeStamp.txt
By editing the file LastLogontimeStamp.txt, you can see if the attribute lastLogonTimestamp is aligned on all Domain Controllers. In the file LastLogontimeStamp.txt, are listed the attributes lastLogonTimestamp of each computer that is recorded on each Domain Controller.
For more information, please read the post of NedPyle called “The LastLogonTimeStamp Attribute” – What it was designed for and how it works
To learn how to raise the functional level of an Active Directory domain, you can see the Microsoft Knowledge Base KB322692.
The management of printers has always required a certain burden to system administrators. But with the advent of Windows 2000 and Active Directory, printer management has become a bit more comfortable. In this first part we take care of how to assign a name to a printer and how to assign a name to the Location field.
With the term network printer, we intend any printer that meet at least one of the following two statements:
- the printer has a network adapter and the printer is assigned an IP address (possibly static or reserved via DHCP);
- two or more workstations can print, more or less simultaneously, on the same printer.
During this post, we will consider only network printers and workstations that belong to an Active Directory domain. The first question we consider is this: what does name to give a network printer? I believe that when you have to give a name to a network printer, you should consider the following golden rules:
- do not use names longer than eight characters;
- use only alphanumeric characters;
- not enter in the printer name, parts that can change over the time, eg acronyms of office, or numbers of room;
- match the printer name with the shared name of the printer queue.
For example, for an HP Laserjet 2100DN, a good printer name could be: HPLJ01 Where the first two letters are an acronym of the manufacturer (Hewlett-Packard) printer, the second two are a acronym of the type of printer (LaserJet) and the last two digits are a numerical sequence (01). Following this rule, the HP Color LaserJet CP1815NI, will be called: HPLJ02.
Once you have chosen the name for a printer, is a good idea to put a label on the printer where you can find the printer name and if the printer is equipped with network card, his IP address.
The second issue I want to face is: where are my printers? This is an extremely important point! To learn how to fill in the Location field you should read what is written in the Microsoft document Best Practices for Deploying Printer Location with Active Directory. A name can be entered in the Location field could be the following: Italy/ReggioEmilia/ViaBrigataReggio/HQ/FirstFloor/Room112 Where Italy is the country where the printer is located, ReggioEmilia is the name of the city (Reggio Emilia), ViaBrigataReggio is the address of headquarters, HQ is the Headquarter where the printer is located, FirstFloor indicate that the printers is in a room at the first floor, Room112 indicate that the printer is in the room with the number 112:
In the second part of these post series, I will explain how to use the Location field to improve the search for the printers in Active Directory.
In the Microsoft Knowledge Base article number 281308 of the December 4, 2008 is written:
The registry key that is mentioned in the “Resolution” section is supported in Windows
Server 2008. However, it works only for Server Message Block (SMB) version 1. It does not work for SMB version 2, also known as CIFS (Common Internet File System). By default, CIFS is the file sharing protocol that is used on Windows-based computers. Windows includes an SMB client component (Client for Microsoft Windows) and an SMB server component (File and Printer Sharing for Microsoft Windows). Windows Server 2008 and Windows Vista support the new SMB 2.0.
At first reading it appears that the suggestion proposed in the KB281308 does not apply to Windows 2008/Vista/7 … In the same KB281308, but updated to September 28, 2009, we reads rather:
The registry key that is mentioned in the “Resolution” section is applicable only to SMB 1.0. To communicate over the SMB2.0 protocol, or CIFS (Common Internet File System), you do not have to set the registry key. SMB 2.0 allows for the functionality described in this article to work by default without additional configuration. Computers that run Windows Server 2008, Windows Server 2008 R2, Windows Vista, and Windows 7 support both SMB 1.0 and SMB 2.0. Windows includes an SMB client component (Client for Microsoft Windows) and an SMB server component (File and Printer Sharing for Microsoft Windows). By default, SMB 2.0 is the file sharing protocol that is used when both client and server support it.
All other music … If you have a Windows server 2008 with hostname (NetBIOS Name) Galileo (galileo.homeworks.it as FQDN) and that server have a shared resource called Saturn and instead to use the UNC path \ \Galileo\Saturn you would like to use the UNC path \ \Newton\Saturn, where Newton (newton.homeworks.it) is an alias DNS (CNAME) for Galileo, then you need to follow the following recipe:
- for clients with Windows 2008/Vista/7: creates the DNS alias (CANME) called Newton (newton.homeworks.it) associated to the server Galielo (galileo.homeworks.it);
- for clients with Windows 2000/2003/XP:
- creates the DNS alias (CANME) called Newton (newton.homeworks.it) associated to the server Galielo (galileo.homeworks.it);
- connected to server Galileo with the credentials of a user with administrative rights on the server;
- start Registry Editor (Regedt32.exe);
- locate and click the following key in the registry: HKEY_LOCAL_MACHINE\System
- on the Edit menu, click Add Value, and then add the following registry value:
Value name: DisableStrictNameChecking
Data type: REG_DWORD
- quit Registry Editor;
- restart the server Galileo.
Once you restarted the server Galileo, execute from the Command Prompt of Galileo the following commands: setspn -a host/newton galileo and setspn -a host/newton.homeworks.it galileo Or more generally: setspn -a host/<CNAME_Server> <NetBIOS_Name_Server> and setspn -a host/<CNAME_FQDN_Server> <NetBIOS_Name_Server>
Now to access the shared resource (SMB share) Saturn you can use or the UNC path \ \Galileo\Saturn, or the UNC path \ \Newton\Saturn.
This recipe is good for Windows 2000/2003/2003R2 (Windows 2000 should have installed Service Pack 4) and Windows 2008/2008R2. Note that the command setspn.exe is not pre-installed on Windows 2003R2, but is part of the Windows 2003 Support Tools.