Monday, April 27, 2009

Windows Server 2003 allows old passwords for 60 minutes

Took me forever to find this again.

http://support.microsoft.com/kb/906305

Originally I had a software vendor clue me into this registry key. It's the reason why you change your password, your old one still works for 60 minutes.

Tuesday, January 20, 2009

Find Stale computer accounts in Active Directory


So it's inevitable that if you run Active Directory long enough, you will have "stale" accounts. Stale accounts are accounts that no-one is using anymore, be it because the user is no-longer employed, it was a shared account that no-one uses anymore, or people just forgot the account is there. Yes, Yes, you should have good practices in place to prevent this kind of account stagnation, but it happens.

The easiest way to find accounts is to use DSQuery:

dsquery user domainroot -name * -inactive 18

Which will display the distinguished names of all users in only the current domain who have been inactive for 120 days (17+ weeks rounded to 18 weeks) or more.


But what about computer accounts?

dsquery computer -inactive 8 -limit 0

Searches for computers that have been inactive (stale) for the number of weeks that you specify (in this case 8 weeks) and displays all entries (Default is 100)

But what if you want pretty output ?

Joeware has a nice little utility that does all of the hard part for you, and can display in a DHTML table that is easily sortable

http://www.joeware.net/freetools/tools/oldcmp/index.htm