محمد نصیری ، بنیانگذار توسینسو ، کارشناس امنیت اطلاعات و ارتباطات و کشف جرائم رایانه ای ، هکر کلاه سفید ، بیش از 12 هزار ساعت سابقه تدریس در بیش از 40 سازمان دولتی ، خصوصی و نظامی ، علاقه مند به یادگیری بیشتر و عاشق محیط زیست
Hello friends; This is my first English article in microsoft network services island in tosinso website and I hope you will enjoy it (Excuse me because of my weak English writing skills). Since 2005 till now I have been working for many enterprise companies and organizations that has been used active directory for their primary directory service, one of the most important mistakes that network administrators make when managing their active directory network service is that they do not pay attention to the creation and deletion of user and computer accounts.
After months and even years, we see that we have many computer and network accounts that are not used in the network. This is actually a security concern, a malicious user or a hacker can use this inactive users and computer accounts to attack the network or create a security breach. Today I want to show you some useful active directory LDAP query samples to detect these kind of inactive objects and do something about it. so let’s see what we have here:
C:\> dsquery user -inactive 4
Description for first example: You have open command prompt to enter the command. dsquery is my favorite command to query active directory, the user portion defines the type of object that we want to query, -inactive section defines the parameter that we are looking for and finally the number at te last defines the number of weeks !! yes the number 4 means 4 weeks therefore it means find and show me the inactive users that did not login within the last 30 days.
C:\> dsquery user -inactive 4 | dsmod user -disabled yes
Description for second example: The first part of the command is exactly the same as the first example
but remember that we can export the output of the commands with pipe character and import them to the next command input, so as you can see we have found the inactive users from the first part and imported the results into dsmod command that can modify active directory object attributes. Then we set the –disabled parameter to yes !! it means disable all inactive users that are not active for a month.
C:\> dsquery computer -inactive 4 | dsmod computer -disabled yes
Description for third example: Guess what !! we just replaced the user part!
C:\> dsquery computer -inactive 4 | clip
Description for fourth example: the first part is really simple! The second part means copy the output
results of the first command into the clipboard memory so you can paste them into other applications like excel or word or ...
I hope it will help you to cleanup your active directory.
Best Regards Mohammad Nasiri
TOSINSO Microsoft Network Services Island
All Rights Reserved