ActiveDirSec.Org

The world's most trusted forum on Active Directory Security


Post Info TOPIC: Looking for an Active Directory reporting tool to help find users with restricted logon hours


Member

Posts: 10
Date: Jun 22, 2011
Looking for an Active Directory reporting tool to help find users with restricted logon hours
Permalink  
 


Hello,

I am looking for a tool to help find all user accounts in our Active Directory that have restricted logonhours specified. We have an Active Directory of about 2000 users and we have been asked to audit and find all accounts that may not be allowed to logon over the weekends.

I tried using dsget/dsquery but it appears that the way the logon hours attribute works, one cannot actually query for it. Upon some experimenting I found that it is not enough to look for users who have the logonhours value specified because, even if a value is specified, the user could still be allowed unrestricted logon.

Basically, we found that (&(objectcategory=user)(objectclass=user)(!(logonhours=*))) is not sufficient because it does not take into account any suer accounts that have a value specified, and which is set to allow all hours for logon.

I have not had any luck with Powershell as well, and our corporate policies prevent us from using any VB script code found on the WWW (wild-wild-web) because we cannot run anything without code inspection and that takes time and effort.

If anyone knows of any tool that could help us correctly find users that have restricted logonhours set, i.e one that parses the actual value (if it exists) and bases its outputs on it, it would be sincerely appreciated.

Thank you.

Jimmy.



__________________
iPad Rocks!


Member

Posts: 10
Date: Jun 29, 2012
RE: Looking for an Active Directory reporting tool to help find users with restricted logon hours
Permalink  
 


Hi Jimmy,

Have you given adfind a shot? I'm almost certain it can help you find users with restricted logon hours.

-Andy.



__________________

Music is the soul of life! & IT Management Best-Practices 



Member

Posts: 6
Date: Jun 29, 2012
RE: Looking for an Active Directory reporting tool to help find users with restricted logon hours
Permalink  
 


Hi Andy,

Have you given adinfo a shot? Like adfind, it too is free, and offers many reports. Its built by a smart young Brit, and could help you with this.

Samuel. 



__________________


Member

Posts: 10
Date: Jul 20, 2012
RE: Looking for an Active Directory reporting tool to help find users with restricted logon hours
Permalink  
 


Hi Samuel,

Thanks for the pointer to AdInfo. It's a pretty decent tool and while we would have used it, when I mentioned to my manager that its free and built by a young lad, he unexpectedly raised a flag, saying they wasn't about to let us install free tools in our environment, esp one built by a young lad! (I should not have mentioned that to him.)

He's 50+ of course, and has been here for 20+ years, so his word carries a lot of weight around. I suppose he's used to relying on supported software built a team of professionals, although its hard to beat free!

Oh well, I'll give adfind a shot as well now, but if you have any other suggestions for a reliable tool that can help us determine true last logon times in our AD, please do let me know.

Thank you,

Jimmy.

 



__________________
iPad Rocks!
Page 1 of 1  sorted by
Quick Reply

Please log in to post quick replies.

Post to Digg Post to Del.icio.us
Members Login
Username 
 
Password 
    Remember Me