ActiveDirSec.Org

The world's most trusted forum on Active Directory Security


Post Info TOPIC: How to Generate Reports using Account Lockout Tools and Management Tools (AlTools.exe) for Active Directory?


Member

Posts: 16
Date: Dec 4, 2010
How to Generate Reports using Account Lockout Tools and Management Tools (AlTools.exe) for Active Directory?
Permalink  
 


Hello All,

I would like to know how to generate a report that lists all the accounts that are ccurrently locked-out, and a list of all the accounts that have never logged on as well.

I know that with the using the Account Lockout Tools and Management Tools for Active Directory,  I can determine when a specific user was locked out, but in order to generate a reprot that lists all the locked-out accounts, I cannot be expected to check each user account and then individually gather and print these details.

There must be a better, more efficient way to do this. If anyone out there knows how to more efficiently enumerate all locked accounts and generate such a report without having to touch upon each user  object to do so, would certainly be thankful for your input.

Regards,
Chad



__________________


Member

Posts: 16
Date: May 19, 2011
RE: How to Generate Reports using Account Lockout Tools and Management Tools (AlTools.exe) for Active Directory?
Permalink  
 


Chad,  have you considered writing scripts? Agreed, they're not the most efficient or reliable way to go, but they're certainly A way.

 



__________________


Member

Posts: 10
Date: Jun 23, 2012
RE: How to Generate Reports using Account Lockout Tools and Management Tools (AlTools.exe) for Active Directory?
Permalink  
 


Hi Chad, 

Obtaining a list of all Active Directory user accounts that are locked is fairly easy, and you can use basic LDAP queries to make this determination.

Obtaining a list of all Active Directory that have not logged in the last 14 days or more, is also not that difficult, and can also be accomplished by using basic LDAP queries for the LastLogonTimeStamp attribute. This is easy because this value is replicated across all domain controllers.

However, what is not easy is determining the list of all users who may have logged on in the last 14 days or less, because for that I believe you have to obtain the value of the LastLogon attribute from all DCs in the domain, and then compare them and them make the determination.

If you're interested, this concept is generally referred to as Active Directory True Last Logon, and there's a good write-up on the issue here.

We had a situation where we needed to obtain a list of all domain user accounts of a specific department, that had not logged on in the last 7 days. This involved  a bit more, because not only did we need to get true last logon times, but we needed to only obtain those accounts for whom an LDAP filter like "(department=Legal)" could be applied.

We ended up going with a tool recommended to us by MCS. We've been very happy with it, for various reasons, and its saved us a lot of time, hassle and effort.

I would suggest looking for a good, reliable tool, and one that lets you do custom searches as well. The ability to export results to CSV should be a basic requirement, and the ability to generate PDF reports is always a plus.

But I think the most important thing is to ensure that you can trust it, because there are so may tools out there, and while some may be cheaper than others, they're most likely built in Russia or Romania or China or India, and our company wasn't willing to have our admins run tools "Made in Russia/China/etc".

I hope this helps.

Danny.



__________________


Member

Posts: 10
Date: Jun 29, 2012
RE: How to Generate Reports using Account Lockout Tools and Management Tools (AlTools.exe) for Active Directory?
Permalink  
 


Chad,

Have you checked out the Last Logon VBScripts available from Richard Mueller? I think you might them useful.

-Jimmy



__________________
iPad Rocks!
Page 1 of 1  sorted by
Quick Reply

Please log in to post quick replies.

Post to Digg Post to Del.icio.us
Members Login
Username 
 
Password 
    Remember Me