The HTML file that OldCmp generates will be in the same directory that you run the tool from, unless you specify an alternative location with the -file option. If you include the -sh option, OldCmp automatically opens the HTML file after it's generated.
If you want to regularly generate an HTML report, all you need to do is create a batch (.bat) file that contains only two lines of code, as Listing 1 shows. The first line runs OldCmp, whereas the second line runs Blat, a command-line tool for sending the contents of a file in an email message. You can download Blat from http://blat.net. In the second line, make sure you customize the -to option with your email address. In addition, make sure you put both OldCmp and Blat in your run path (i.e., the path defined in the PATH environment variable).
After you create the batch file, you need to create a scheduled task. Be sure to specify a domain user account and password for the job so the script has sufficient permissions to query computer objects in the domain.
Identifying inactive computer accounts is helpful, but more than likely, you'll want to clean up those accounts at some point. My general recommendation is to first disable inactive computer accounts, then after a week or month, delete the disabled computer accounts. This waiting period acts as a safety valve to ensure no one is using the computer accounts.
Listing 2 contains a batch file that deletes disabled computer accounts and disables newly found inactive computer accounts. This batch file contains two sets of commands. (Be sure you don't swap the order.) The first set uses OldCmp to delete any disabled computer accounts and create the deleted_comps.html report, then uses Blat to email that report to rallen@rallenhome.com. The second set uses OldCmp to disable all computer accounts whose passwords are older than 180 days and create the disabled_comps.html report, then uses Blat to email that report.
When creating OldCmp, Joe was concerned about people accidentally deleting or disabling thousands of computer accounts, so he added several precautions, including the -safety and -forreal options you see in both sets of commands. The -safety option limits the number of accounts the script can delete or disable. By default, OldCmp won't delete or disable more than 10 accounts. Including the -safety option with a value of 100 tells OldCmp that it's okay to delete as many as 100 accounts. The -forreal option tells OldCmp that it's okay to delete or disable the accounts. Without the -forreal option, OldCmp just reports on the accounts it would delete or disable--it doesn't actually delete or disable them.
Before you use the batch file in Listing 2, you need to customize the email address in the two Blat commands. In addition, for testing purposes, you should remove the -forreal option from the two OldCmp commands, then run the batch file to make sure you're okay with the accounts OldCmp will delete and disable.
Dsrevoke
AD is often touted for its flexible delegation of administration feature. For a particular security principal, you can restrict access all the way down to the attribute level. Microsoft provides a Delegation of Control Wizard that can walk you through the process of delegating administration for certain types of tasks. You can also use the ACL editor to tweak ACLs even further.
Although it's easy to delegate access to a particular account, it hasn't been so easy to undelegate the access--that is, until now. Microsoft recently created a tool called Dsrevoke that lets you iterate over the contents of an OU and remove all access control entries (ACEs) that contain a specific security principal. So, for example, if you created a complex delegation for a group called Help Desk, you can use Dsrevoke to go back and remove all the ACEs that contain the Help Desk security principal. That capability makes Dsrevoke a nice tool to have. So run, don't walk, to your computer and download Dsrevoke (http://www.microsoft.com/downloads/details.aspx?familyid=77744807-c403-4bda-b0e4-c2093b8d6383).
With Dsrevoke, you can either search for (/report option) or delete (/remove option) the ACEs that have a particular security principal. To use Dsrevoke, you specify the /report or /remove option, then use the /root option to specify a root from which to start the search or delete operation. You end the command with the name of the security principal you want to search for or remove. For example, here's a command that searches the Workstations OU for all ACEs that contain the Data Admins security principal:
dsrevoke /report /root:ou=workstations,
dc=rallencorp,dc=com
"RALLENCORP\Data Admins"
As Figure 3 shows, the Workstations OU has two ACEs that contain the Data Admins security principal. To delete these ACEs, you run the same command, except you replace /report with /remove:
dsrevoke /remove /root:ou=workstations,
dc=rallencorp,dc=com
"RALLENCORP\Data Admins"
You'll get the same output as before, except you'll be prompted about whether you want to delete the ACEs.
One limitation you need to be aware of is that Dsrevoke works only against OUs or a domain root. It won't work against containers such as the default Computers (cn=Computers) or Users (cn=Users) containers.
AdRestore
Ever wonder what happens to an object in AD when you delete it? When you delete an object, it doesn't disappear completely. Instead, the object becomes a tombstone. After 60 days (the default tombstone lifetime period), the tombstone is permanently deleted.
Before the release of Windows 2003, there was no method for bringing tombstones back to life. Now, you can at least partially restore deleted objects--and Sysinternals' AdRestore utility (http://www.sysinternals.com/ntw2k/source/misc.shtml) makes it a snap.
To enumerate all current deleted objects in the current domain, you run AdRestore with no options:
adrestore
Figure 4 shows sample results from this command.
If you want to restore a tombstone, you use the -r option followed by the name of the object to restore. For example, the following command restores the John Billings user account:
adrestore -r "John Billings"
The output from this command will be similar to that in Figure 4, except you'll be prompted about whether you want to restore the object. As I mentioned previously, AdRestore only partially restores the object. The tombstone doesn't retain all the attributes of the original object. For details about the process behind restoring deleted objects, see the Security Administrator article "AD Tombstone Objects," March 2004, InstantDoc ID 41576.
No More Excuses
By familiarizing yourself with AdFind, AdMod, OldCmp, Dsrevoke, and AdRestore, you can increase your effectiveness as an AD administrator. These beefed-up command-line tools make it easy to do tasks that were once tedious or difficult. And because all the tools are free, you have no excuse for not adding them to your AD toolbox.
End of Article
)
)
)
Register
AFSCrmoore October 05, 2004 (Article Rating: