The first step the security team took was to identify members of the domain admin group and the last time they logged in. This is a good initial step to remove those that haven't logged on or used their accounts. If someone hasn't used their domain admin account in 120 days or longer then I would question if they need the account.
Some folks on the security team were manually going and using a box that had the additional account info tab from the acctinfo.dll. They were then looking at lastlogon box within the tab and manually entering that into a spreadsheet. I knew there were easier ways to do this so I stepped in to help out.
For this exercise I keyed off the LastLogonTimeStamp (LLTS) The lastlogontimestamp can be off by 9-14 days. The link to the askds blog entry on LLTS does a great job of explaining it. If 9-14 days is not acceptable then you would have to query lastlogon on every DC. Lastlogon does not replicate and that is why every DC would have to be queried.
For the examples I'm in my lab domain which is mkw2k8R2.com and I only have three users in the domain admin group. I've only logged in with one of those users.
Method 1 - Using ADFIND
Regular blog users will not be surprised to find out that I used adfind from Joe Richards for method 1.
adfind -default -f "memberof=cn=domain admins,cn=users,dc=mydomain,dc=mysuffix" samaccountname lastlogontimestamp -tdc -nodn -csv
Method 2 - Using Quest AD Powershell Cmdlets
Many people that started with powershell and AD years ago are probably familiar with the free AD cmdlets from Quest.
get-qaduser -memberof "domain admins" | select-object samaccountname, lastlogontimestamp
Method 3 - Using Microsoft's AD Powershell v2 Cmdlets
With the introduction of Windows 2008 R2 and Windows 7 Microsoft introduced the AD module for Windows Powershell. There is already a lot of good information about the AD Module for Powershell so I won't go over that here. I also admit I'm not a powershell master/guru.
get-aduser -LDAPFilter "(memberof=cn=domain admins,cn=users,dc=mkw2k8r2,dc=com)" -property lastlogondate | ft samaccountname, lastlogondate
If you noticed I used lastlogondate which is not an actual AD attribute. My friend Richard Mueller had a good writeup on lastlogondate. See the link and Richard's answer for more info on lastlogondate which is essentially the same as lastlogontimestamp
Method 4 - Using CSVDE
CSVDE is what you call an old school tool. Those that have been around AD for years have definitely used the tool at some point. It was around before adfind and powershell.
csvde -f c:\userslogon.csv -r "(memberof=cn=domain admins,cn=users,dc=mkw2k8r2,dc=com)" -l samaccountname, lastllogontimestamp
One problem with the CSVDE method is how it handles the output. LastLogonTimeStamps are Integer8 (64-bit numbers) that CSVDE can't handle. You will notice in methods 1-3 those tools did a good job of decoding the attribute.
Elizabeth Greene has a really good blog entry that has a formula you can use in excel to convert it into a readable date.
Notice in the screenshot the difference between the native format in cell C2 and what it looks like after I applied the formula
Method 5 - Using Repadmin
This method I first saw used in the blog from the askds team that I linked to earlier and I'll link to again here
Other Methods
- VBScript - Richard is the king in this category and if you want to use VBScript I recommend testing his scripts out.
- Powershell v1 without AD cmdlets - remember when I said I was not a powershell guru yet. I'm guessing that is something that can be done but haven't tried to do it yet. The AD cmdlets from Microsoft and Quest both work for me so I try to stick to them.
You can use these examples and modify them if you are looking for other groups. There are other/better ways to identify old/stale accounts in a domain if you want to do it domain wide. More to come on that.
I'm really looking forward to hearing from readers and the community on other methods for doing this. If there are better ways to do it in Powershell please leave a comment and I'll definitely update the blog.
Inactive Domain Admins beware....you will be removed :)
We're no longer a Fortune 5 company, but we still have exactly 5 people who hold the EA/DA roles.
ReplyDeleteStill awesome that you all are doing it with only 5 DAs...that is a kick ass AD!
ReplyDelete