Cloud Security, Privacy and Reliability...

Security, Community and a whole lot more!

Blogs

Cool Tools

  • Comments 1
  • Likes

I thought for Christmas this year it would be great of we all shared. I think Christmas comes early each time I find a new tool that I can share with everyone. I would like everyone to let us all know about the latest tools you have found.

First blood goes to Dwight Bittner who told me about a cool tool called oldcmp that keys on the password age of not only computer accounts but also user accounts in Active Directory. It then allows you to disable or delete the accounts.

The email from him reads:

I did some research on the Internet and found a utility called oldcmp that keys on the password age of not only computer accounts but also user accounts in Active Directory.  The default password age that it keys on is 90 days but this can be set to accommodate various environments.  As you know if you don’t know what you are doing in Active Directory you can really mess things up in a hurry.  That is where oldcmp shines as it has numerous built-in safety features so that you can safely prune old user and computer objects from Active Directory with confidence.

We have implemented the use of oldcmp in a three stage process:

  1. Run oldcmp to report on all old computer accounts that have a password age > 120 days.
  2. Disable those computer accounts identified in step 1 above for a period of 7 days as a grace period prior to deleting the object from Active Directory.
  3. Delete the disabled computer accounts that were disabled in step 2 from Active Directory.

We plan to use the oldcmp utility on a quarterly basis to keep our Active Directory structure clean and tidy.  We will also start using it to clean up old user accounts in the near future.

You can filter out server accounts or computers in particular OUs so as to exclude certain computer accounts from being reported on, disabled and/or deleted. 

For example: if you use the following filter command -af "(!(operatingsystem=*Server*))(!(Description=Public))" you would filter out all Server OSs and computers that have the word “public” in the description.

The link to the web site where you can find out more about oldcmp is http://www.joeware.net/win/free/tools/oldcmp.htm.   The reason I am sharing this with you is that I think that a lot of people would find this tool beneficial for managing Active Directory and also for cleaning up Active Directory so that SMS reporting will be more accurate.  Joe from joeware.net has been very helpful in providing assistance in using the tool as well.

That is the sort of tool I like. Well okay I like big power tools as well. Is it a guy thing or are their ladies out there that also find large mechanical objects interesting - no rude answers please!

Comments
  • Cool. Glad you like oldcmp Bruce. Note that within the next couple of days I will be releasing V01.05.00. It adds some more functionality such as the ability to filter out DNs with a case insensitive search string, say -excldn "ou=domain controllers" or -excldn "test". Multiple search strings is also supported, no regexprs yet though. It also adds the ability to use lastLogonTimestamp if the domain is a Windows Server 2003 AD in Domain Functional Mode. If you set that switch (llts) and your domain is not in the proper mode it will fall back to pwdLastSet. Another cool addition is the -users switch which will change the filter to be for users as well as the fields it returns and displays from AD. That was the second most popular request after the ability to exclude specific branchs of AD.


    joe