Sign in with
Sign up | Sign in
Your question

Auditing only Specific Users logons

Last response: in Windows 2000/NT
Share
Anonymous
February 7, 2005 4:31:36 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Hi,

I am currently cleaning out my Active Directory Database of old User
accounts. We have a high turnover so I have about 800 accounts marked
for deletion.

I ran a vbscript to list last logon, but for some reason the script
keeps coming up with different dates and doesn’t seem accurate
depending on the DC authenticating.

I want to enable logon Auditing for the OU of users that are marked
for deletion. If they haven’t logged in in a month I want to delete
them.

The problem is that I can only find how to enable Auditing via
computer and not user. I haven’t done auditing before so I am sure I
am missing something. How Do I enable logon auditing for Only the 800
users in the one OU.

Thanks

Lara

--
Posted using the http://www.windowsforumz.com interface, at author's request
Articles individually checked for conformance to usenet standards
Topic URL: http://www.windowsforumz.com/Group-Policy-Auditing-Spec...
Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.windowsforumz.com/eform.php?p=814035
Anonymous
February 7, 2005 5:10:05 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

I'm not too sure about that, but another way you could ensure they're safe
to delete-disable them, and if a user needs the account, you can be sure
they'll be callin to find out why their account is disabled.

Just as a side note--shouldn't your HR dept be notifying you of when people
leave so that you can disable the account?

::p link plink::

Ken

"lforbes" <UseLinkToEmail@WindowsForumz.com> wrote in message
news:4207b408$1_2@alt.athenanews.com...
> Hi,
>
> I am currently cleaning out my Active Directory Database of old User
> accounts. We have a high turnover so I have about 800 accounts marked
> for deletion.
>
> I ran a vbscript to list last logon, but for some reason the script
> keeps coming up with different dates and doesn't seem accurate
> depending on the DC authenticating.
>
> I want to enable logon Auditing for the OU of users that are marked
> for deletion. If they haven't logged in in a month I want to delete
> them.
>
> The problem is that I can only find how to enable Auditing via
> computer and not user. I haven't done auditing before so I am sure I
> am missing something. How Do I enable logon auditing for Only the 800
> users in the one OU.
>
> Thanks
>
> Lara
>
> --
> Posted using the http://www.windowsforumz.com interface, at author's
> request
> Articles individually checked for conformance to usenet standards
> Topic URL:
> http://www.windowsforumz.com/Group-Policy-Auditing-Spec...
> Visit Topic URL to contact author (reg. req'd). Report abuse:
> http://www.windowsforumz.com/eform.php?p=814035
Anonymous
February 7, 2005 11:33:39 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Unfortunately in Windows 2000 the last logon timestamp is not replicated
among domain controllers which is why you experience what you do. You would
have to run your report on all domain controllers to see what is going on
which may of course be very tedious if you have more than a few domain
controllers. As far as auditing you can only do it in an all or none fashion
for domain users. Auditing of "account logons" would have to be enabled in
Domain Controller Security Policy and then an account logon event will be
logged on the domain controller that authenticated the user. Event Comb
[free MS download] can be used to scan the security logs of multiple domain
controllers for specific Event ID's or text strings which can make that job
easier. The last logon timestamp does replicate On Windows 2003 domain
controllers. You could easily add all those users from your OU to a global
group and then add that group to "deny logon locally" for Domain Security
Policy to try to flush out any survivors. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;308471 --
EventComb.

"lforbes" <UseLinkToEmail@WindowsForumz.com> wrote in message
news:4207b408$1_2@alt.athenanews.com...
> Hi,
>
> I am currently cleaning out my Active Directory Database of old User
> accounts. We have a high turnover so I have about 800 accounts marked
> for deletion.
>
> I ran a vbscript to list last logon, but for some reason the script
> keeps coming up with different dates and doesn't seem accurate
> depending on the DC authenticating.
>
> I want to enable logon Auditing for the OU of users that are marked
> for deletion. If they haven't logged in in a month I want to delete
> them.
>
> The problem is that I can only find how to enable Auditing via
> computer and not user. I haven't done auditing before so I am sure I
> am missing something. How Do I enable logon auditing for Only the 800
> users in the one OU.
>
> Thanks
>
> Lara
>
> --
> Posted using the http://www.windowsforumz.com interface, at author's
> request
> Articles individually checked for conformance to usenet standards
> Topic URL:
> http://www.windowsforumz.com/Group-Policy-Auditing-Spec...
> Visit Topic URL to contact author (reg. req'd). Report abuse:
> http://www.windowsforumz.com/eform.php?p=814035
Anonymous
February 16, 2005 5:29:49 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

"Steven L Umbach2" wrote:
> Unfortunately in Windows 2000 the last logon timestamp is not
> replicated
> among domain controllers which is why you experience what you
> do. You would
> have to run your report on all domain controllers to see what
> is going on
> which may of course be very tedious if you have more than a
> few domain
> controllers. As far as auditing you can only do it in an all
> or none fashion
> for domain users. Auditing of "account logons" would have to
> be enabled in
> Domain Controller Security Policy and then an account logon
> event will be
> logged on the domain controller that authenticated the user.
> Event Comb
> [free MS download] can be used to scan the security logs of
> multiple domain
> controllers for specific Event ID's or text strings which can
> make that job
> easier. The last logon timestamp does replicate On Windows
> 2003 domain
> controllers. You could easily add all those users from your OU
> to a global
> group and then add that group to "deny logon locally" for
> Domain Security
> Policy to try to flush out any survivors. --- Steve
>
> http://support.microsoft.com/default.aspx?scid=kb;en-us;308471
> --
> EventComb.
>
> "lforbes" <UseLinkToEmail@WindowsForumz.com> wrote in message
> news:4207b408$1_2@alt.athenanews.com...
> > Hi,
> >
> > I am currently cleaning out my Active Directory Database of
> old User
> > accounts. We have a high turnover so I have about 800
> accounts marked
> > for deletion.
> >
> > I ran a vbscript to list last logon, but for some reason the
> script
> > keeps coming up with different dates and doesn't seem
> accurate
> > depending on the DC authenticating.
> >
> > I want to enable logon Auditing for the OU of users that are
> marked
> > for deletion. If they haven't logged in in a month I want to
> delete
> > them.
> >
> > The problem is that I can only find how to enable Auditing
> via
> > computer and not user. I haven't done auditing before so I
> am sure I
> > am missing something. How Do I enable logon auditing for
> Only the 800
> > users in the one OU.
> >
> > Thanks
> >
> > Lara
> >
> > --
> > Posted using the http://www.windowsforumz.com interface, at author's
> > request
> > Articles individually checked for conformance to usenet
> standards
> > Topic URL:
> > http://www.windowsforumz.com/Group-Policy-Auditing-Spec...
> > Visit Topic URL to contact author (reg. req'd). Report
> abuse:
> > http://www.windowsforumz.com/eform.php?p=814035

Hi,

Thanks. I just ended up disabling them and deleting them. The HR
dept. is definitely not organized enough to let me know. In a perfect
world --- =)

Thanks for the info on the Last login. I only have two DC’s so it
won’t take much to do.

Cheers,

Lara
!