|
Posted by Roger Abell [MVP] on September 23, 2006, 1:25 pm
Please log in for more thread options True, but it they are connected and will behave a remote command, they
would probably be much more simply located/discovered than by reboot
and comb the event logs.
> With that advice he could attempt to force a reboot of the computers using
> something like PsShutdown using a text file with the fully qualified names
> of the computers assuming they are connected to the domain network with
> the proper network connectivity.
>
> Steve
>
>
>> Tim,
>>
>> I thought about your situation last night for a while, but did not
>> see a usable solution for you.
>> If the machines of concern have not been updating their passwords,
>> they would not likely be doing so in the future - hence attempt to
>> see failure events when they do is not your solution (besides how
>> long it would take).
>> If there are machines in the situation you are considering, they are
>> already logged into the domain, and hence they are running on the
>> Kerberos tickets from then. When they renew it is not a new login
>> so you would not be catching login failure events. You could at
>> least in theory enable Kerberos detail logging, but the amount that
>> would be generated would probably make doing this not helpful.
>>
>> etc.
>>
>> My final feeling was that you may just have to wait, as the login
>> failures for abcdefg$ accounts would eventually show up, after
>> those machines are rebooted.
>>
>> Roger
>>> We are currently trying to remove old computer accounts from our Active
>>> Directory domain. We used a third party utility to find all of the
>>> computer accounts on the domain that did not have their password changed
>>> in 90 days or more. We then disabled all of these accounts.
>>>
>>> What I am curious about is whether there is an event that will be
>>> recorded in our domain controller security logs for any computers that
>>> have been disabled, but may still be logged on (for example, if a user
>>> doesn't log off at the end of the day but instead locks their
>>> workstation, they may be able to unlock it the next day and keep
>>> working, in fact this is true because we have tested it). We want to
>>> make sure no one is actually using a computer that had their account
>>> locked out.
>>>
>>> So, if we could search our event logs for a specific Event ID pertaining
>>> to the computer being locked out, we could figure out if some of the
>>> accounts we disabled are actually online and just hadn't updated the
>>> computer account password in the normal 30 days for XP and 2000
>>> desktops.
>>>
>>> -Tim Nichols
>>> MCP
>>>
>>
>>
>
>
| 
XML Sitemap