| 5/26/2004 -- My business partner, Derek Melber, was recently asked by one of our consulting clients to create a script that would aid them in auditing their domain security. He wanted to create a report that would display users' account status, including lockout, disabled, last time their password was changed, and so forth. He also wanted to display users' last logon date.
All that information is in the domain, but the last logon date in particular can be difficult to figure out in pre-Win2003 domains. That's because, prior to Win2003, the "lastLogon" attribute isn't replicated, meaning only the last DC that a user authenticated to will have an accurate value. So to display an accurate value, you'd have to query every domain controller in the domain—perfect gruntwork for a script, but not the easiest thing to code. I had some free time this past Saturday, though (I have no life), and decided to take a whack at it, using Derek's original script as a starting point.
One thing I wanted to do was be able to check every user in the domain, which is a less-than-straightforward task in AD, where users can be buried under a tree of organizational units (OUs). Fortunately, AD is backward-compatible with Windows NT domains, meaning AD can present its user list as a flat list, ignoring OU membership. Windows NT also provides an easier-to-use LastLogin property for users; AD's native lastLogon property (note the subtle name difference) is a complex integer value that includes both a time and date, and it's a pain to fuss with in VBScript.
On the other hand, NT doesn't make it very easy to enumerate a list of all DCs in the domain. AD doesn't exactly make it easier, but it does have a helpful Domain Controllers OU, which, nine times out of ten, contains every DC in the domain. In fact, pretty much nobody recommends ever moving DCs out of the Domain Controllers OU, so it's a safe bet that all the DCs' computer accounts can be found there.
Given the relative strengths and weaknesses of NT and AD, then, I resolved to use both. The result is the following script, which uses Active Directory Services Interface (ADSI) and VBScript to query an AD domain both from an NT standpoint (using the WinNT: moniker) and from a native AD standpoint (using the LDAP: moniker). Check it out:
'get domain and container
Dim sTarget, sOU
sTarget = InputBox("Target what domain?", "Domain?", _
"techmentorevent")
sLDAP = InputBox("LDAP version of domain name?", "LDAP Domain?", _
"dc=techmentorevents,dc=pri")
'iterate through all DCs?
Dim bCheckAll
bCheckAll = MsgBox("Check all DCs for last logon date?", _
4, "Check all DCs?")
If bCheckAll = 6 Then
bCheckAll = True
Else
bCheckAll = False
End If
'objects for output file
Dim sOutput, oFSO, oTS
sOutput = InputBox("Output path and filename?", "Filename?", _
"c:\domainreport.csv")
Set oFSO = CreateObject("Scripting.FileSystemObject")
'see if file exists
If oFSO.FileExists(sOutput) Then
MsgBox("File exists. Please select another.")
WScript.Quit
End If
'create output file
Set oTS = oFSO.CreateTextFile(sOutput)
Const cComma = ","
'output header
oTS.WriteLine "User" & _
cComma & "Disabled" & cComma & "Locked" & _
cComma & "IdleDays"
'get destination container
On Error Resume Next
Set oOU = GetObject("WinNT://" & sTarget)
If Err <> 0 Then
MsgBox "Error: " & vbCrLf & Err.Description
WScript.Quit
End If
On Error Goto 0
'filter for user objects
oOU.Filter = Array("User")
'get the Default Domain Controllers container
Dim oDCs, oDC
Set oDCs = GetObject("LDAP://ou=Domain Controllers," & _
sLDAP)
'go through container objects
Dim oObject
For Each oObject In oOU
'get attributes
Dim bDisabled, bLocked, iIdleDays
Dim dLastLogin, dLocalLastLogin
'reset last login date
dLastLogin = CDate("1/1/1900")
'is user disabled?
If oObject.accountdisabled Then
bDisabled = True
Else
bDisabled = False
End If
'is user locked out?
If oObject.isaccountlocked Then
bLocked = True
Else
bLocked = False
End If
'output basic info
oTS.Write oObject.name & cComma & _
bDisabled & cComma & _
bLocked & cComma
'check for last login?
If bCheckAll Then
'checking last login on all DCs
For Each oDC In oDCs
'get last login from this DC
Dim oLocalUser
Set oLocalUser = GetObject("WinNT://" & _
Replace(oDC.sAMAccountName,"$","") & "/" & _
oObject.name & ",user")
On Error Resume Next
dLocalLastLogin = oLocalUser.LastLogin
If Err <> 0 Then
dLocalLastLogin = CDate("1/1/1900")
End If
On Error Goto 0
'is that more recent?
If dLocalLastLogin > dLastLogin Then
dLastLogin = dLocalLastLogin
End If
Next
'output last login
oTS.Write DateDiff("d",dLastLogin,Date) & vbcrlf
Else
'not checking last login
oTS.Write "n/a" & vbcrlf
End If
Next
'close text file and notify
oTS.Close
MsgBox "Finished. Output is at " & sOutput
When you run this script, you'll have to enter the domain name twice. First, enter a normal NT domain name (the default is TECHMENTOREVENT). Next, enter the LDAP-style domain name. The default is "dc=techmentorevents,dc=pri" for my example domain, techmentorevents.pri. If your domain was braincore.net, you'd enter "dc=braincore,dc=net" for the domain name. You can decide whether or not to check the LastLogin property, because doing so will cause the script to run for a lot longer since it has to query a bunch of computers. The script will, by the way, bomb out if any of your DCs are unreachable. I left it that way on purpose, but you can have it ignore missing DCs by using the following code:
'get last login from this DC
Dim oLocalUser
On Error Resume Next
Set oLocalUser = GetObject("WinNT://" & _
Replace(oDC.sAMAccountName,"$","") & "/" & _
oObject.name & ",user")
The boldfaced line of code tells VBScript to ignore any errors and keep right on processing.
I hope this will be a useful script for you. Those of you lucky enough to work in a native Windows Server 2003 domain don't need this trickery, because Win2003 repliates the lastLogin property to all DCs; just use the Saved Queries feature in 2003's AD Users and Computers console to query for user accounts that haven't logged in during a specified number of days. Note that it's impossible for me to test this script in the myriad environments out there; it's possible your environment may contain something that causes the script to bomb unexpectedly. If it does, please feel free to send me a short e-mail describing the problem and I'll do my best to help you figure it out. This script outputs a file that can easily be imported into Excel so that you can sort by column or do whatever other fancy stuff you like.  | 
