Archive

Posts Tagged ‘Active Directory’

How to get the last password change for a user in Active Directory

If you need to know when was the last password change made ​​by a user member of an Active Directory domain, you can simply use the following PowerShell instructions:

  • on a Windows 7 client or Windows 2008, Windows 2008R2 server which are member of the Active Directory domain that belong the user you want to analyze, open PowerShell Console and at the prompt write:

Import-Module ActiveDirectory
Get-ADUser ‘UserName’ -properties PasswordLastSet | Format-List

  • for example:

Import-Module ActiveDirectory
Get-ADUser ‘tani.alessandro’ -properties PasswordLastSet | Format-List

In the field PasswordLastSet you can find date of last password change.

Finding Inactive or Unused Computers

Not always a computer is removed from Active Directory when it is decommissioned. The result is that after a while of time, the contents of Active Directory is no longer aligned with the state of company. To find inactive computers that are still present in Active Directory, you can use different techniques.

If the Active Directory functional level is set to Windows 2003 or higher, then you can use the command dsquery.exe This command is present on all Domain Controllers, or on all Windows 7 workstations.

The following query will locate all inactive computers in the current forest:

dsquery computer forestroot -inactive <NumWeeks>

Where <NumWeeks> indicates the number of weeks of inactivity (i.e 84 days = 12 weeks, 175 days = 25 weeks).

You can also use domainroot in combination with the -d option to query a specific domain:

dsquery computer domainroot -d <DomainName> -inactive <NumWeeks>

for example:

dsquery computer domainroot -d homeworks.it -inactive 25

You can target your query at a specific container (i.e. ou=MyComputers,dc=homeworks,dc=it):

dsquery computer ou=MyComputers,dc=homeworks,dc=it -inactive <NumWeeks>

All commands dsquery.exe cited, should be executed by Command Prompt of a workstation that is part of Active Directory domain. The user running the command must be part, at least, of the Domain Users group in Active Directory.

If the domain functional level of Active Directory is not set to Windows 2003 or higher, you can use the command OldCmp.exe written by Joeware. By default, the command OldCmp.exe research workstations that are not connected to an Active Directory domain for more than 90 days.

To get the list of workstations that do not connect to the domain for more than 90 days in HTML format, just run the command (the list is sorted by Computer Name):

oldcmp -report -sort cn

To get the same list in CSV format, you should run the command:

oldcmp -report -format csv -sort cn

To get list of workstations that do not connect to a domain for more than 180 days, just run the command:

oldcmp -report -age 180 -sort cn

All commands OldCmp.exe cited, should be executed  by Command Prompt of a station that is part of Active Directory domain. The user running the command must be part, at least, of the Domain Users group in Active Directory.

In Active Directory domains whose functional level is set to Windows 2003 or later, the attribute lastLogonTimestamp of Active Directory, is used to know when was the last process of authenticating of a computer. lastLogonTimestamp attribute is replicated among all Domain Controllers. To see if the attribute lastLogonTimestamp is aligned on all Domain Controllers in the domain, you can run the command:

repadmin /showattr * <Distinguish_Name_of_Active_Directory_Domain>
 /subtree /filter:"((&(lastLogontimeStamp=*)(objectClass=computer)))"
 /attrs:lastLogontimeStamp > lastLogontimeStamp.txt

For example:

repadmin /showattr * dc=homeworks,dc=it /subtree
 /filter:"((&(lastLogontimeStamp=*)(objectClass=computer)))"
 /attrs:lastLogontimeStamp > lastLogontimeStamp.txt

By editing the file LastLogontimeStamp.txt, you can see if the attribute lastLogonTimestamp is aligned on all Domain Controllers. In the file LastLogontimeStamp.txt, are listed the attributes lastLogonTimestamp of each computer that is recorded on each Domain Controller.

For more information, please read the post of NedPyle called “The LastLogonTimeStamp Attribute” – What it was designed for and how it works

To learn how to raise the functional level of an Active Directory domain, you can see the Microsoft Knowledge Base KB322692.

How to manage printers – Part I

The management of printers has always required a certain burden to system administrators. But with the advent of Windows 2000 and Active Directory, printer management has become a bit more comfortable. In this first part we take care of how to assign a name to a printer and how to assign a name to the Location field.

With the term network printer, we intend any printer that meet at least one of the following two statements:

  • the printer has a network adapter and the printer is assigned an IP address (possibly static or reserved via DHCP);
  • two or more workstations can print, more or less simultaneously, on the same printer.

During this post, we will consider only network printers and workstations that belong to an Active Directory domain. The first question we consider is this: what does name to give a network printer? I believe that when you have to give a name to a network printer, you should consider the following golden rules:

  • do not use names longer than eight characters;
  • use only alphanumeric characters;
  • not enter in the printer name, parts that can change over the time, eg acronyms of office, or numbers of room;
  • match the printer name with the shared name of the printer queue.

For example, for an HP Laserjet 2100DN, a good printer name could be: HPLJ01 Where the first two letters are an acronym of the manufacturer (Hewlett-Packard) printer, the second two are a acronym of the type of printer (LaserJet) and the last two digits are a numerical sequence (01). Following this rule, the HP Color LaserJet CP1815NI, will be called: HPLJ02.

Once you have chosen the name for a printer, is a good idea to put a label on the printer where you can find the printer name and if the printer is equipped with network card, his IP address.

The second issue I want to face is: where are my printers? This is an extremely important point! To learn how to fill in the Location field you should read what is written in the Microsoft document Best Practices for Deploying Printer Location with Active Directory. A name can be entered in the Location field could be the following: Italy/ReggioEmilia/ViaBrigataReggio/HQ/FirstFloor/Room112 Where Italy is the country where the printer is located, ReggioEmilia is the name of the city (Reggio Emilia), ViaBrigataReggio is the address of headquarters, HQ is the Headquarter where the printer is located, FirstFloor indicate that the printers is in a room at the first floor,  Room112 indicate that the printer is in the room with the number 112:

Printer Name and Location

Printer Name and Location

In the second part of these post series, I will explain how to use the Location field to improve the search for the printers in Active Directory.

Connecting to SMB share with an alias name (CNAME)

In the Microsoft Knowledge Base article number 281308 of the December 4, 2008 is written:

The registry key that is mentioned in the “Resolution” section is supported in Windows
Server 2008. However, it works only for Server Message Block (SMB) version 1. It does not work for SMB version 2, also known as CIFS (Common Internet File System). By default, CIFS is the file sharing protocol that is used on Windows-based computers. Windows includes an SMB client component (Client for Microsoft Windows) and an SMB server component (File and Printer Sharing for Microsoft Windows). Windows Server 2008 and Windows Vista support the new SMB 2.0.

At first reading it appears that the suggestion proposed in the KB281308 does not apply to Windows 2008/Vista/7 … In the same KB281308, but updated to September 28, 2009, we reads rather:

The registry key that is mentioned in the “Resolution” section is applicable only to SMB 1.0. To communicate over the SMB2.0 protocol, or CIFS (Common Internet File System), you do not have to set the registry key. SMB 2.0 allows for the functionality described in this article to work by default without additional configuration. Computers that run Windows Server 2008, Windows Server 2008 R2, Windows Vista, and Windows 7 support both SMB 1.0 and SMB 2.0. Windows includes an SMB client component (Client for Microsoft Windows) and an SMB server component (File and Printer Sharing for Microsoft Windows). By default, SMB 2.0 is the file sharing protocol that is used when both client and server support it.

All other music … If you have a Windows server 2008 with hostname (NetBIOS Name) Galileo (galileo.homeworks.it as FQDN) and that server have a shared resource called Saturn and instead to use the UNC path \ \Galileo\Saturn you would like to use the UNC path \ \Newton\Saturn, where Newton (newton.homeworks.it) is an alias DNS (CNAME) for Galileo, then you need to follow the following recipe:

  • for clients with Windows 2008/Vista/7: creates the DNS alias (CANME) called Newton (newton.homeworks.it) associated to the server Galielo (galileo.homeworks.it);
  • for clients with Windows 2000/2003/XP:
    • creates the DNS alias (CANME) called Newton (newton.homeworks.it) associated to the server Galielo (galileo.homeworks.it);
    • connected to server Galileo with the credentials of a user with administrative rights on the server;
    • start Registry Editor (Regedt32.exe);
    • locate and click the following key in the registry: HKEY_LOCAL_MACHINE\System
      \CurrentControlSet\Services\LanmanServer\Parameters
    • on the Edit menu, click Add Value, and then add the following registry value:
      Value name: DisableStrictNameChecking
      Data type: REG_DWORD
      Radix: Decimal
      Value: 1
    • quit Registry Editor;
    • restart the server Galileo.

Once you restarted the server Galileo, execute from the Command Prompt of Galileo the following commands: setspn -a host/newton galileo and setspn -a host/newton.homeworks.it galileo Or more generally: setspn -a host/<CNAME_Server> <NetBIOS_Name_Server> and setspn -a host/<CNAME_FQDN_Server> <NetBIOS_Name_Server>

Now to access the shared resource (SMB share) Saturn you can use or the UNC path \ \Galileo\Saturn, or the UNC path \ \Newton\Saturn.

This recipe is good for Windows 2000/2003/2003R2 (Windows 2000 should have installed Service Pack 4) and Windows 2008/2008R2. Note that the command setspn.exe is not pre-installed on Windows 2003R2, but  is part of the Windows 2003 Support Tools.

Active Directory TombStone Lifetime

Interesting article by Joeware on how to discover the default value of the Active Directory tombstoneLifetime: http://blog.joeware.net/2010/02/05/1896/