Auditing only Specific Users logons

  • Thread starter Thread starter lforbes
  • Start date Start date
L

lforbes

Hi,

I am currently cleaning out my Active Directory Database of old User
accounts. We have a high turnover so I have about 800 accounts marked
for deletion.

I ran a vbscript to list last logon, but for some reason the script
keeps coming up with different dates and doesn’t seem accurate
depending on the DC authenticating.

I want to enable logon Auditing for the OU of users that are marked
for deletion. If they haven’t logged in in a month I want to delete
them.

The problem is that I can only find how to enable Auditing via
computer and not user. I haven’t done auditing before so I am sure I
am missing something. How Do I enable logon auditing for Only the 800
users in the one OU.

Thanks

Lara
 
I'm not too sure about that, but another way you could ensure they're safe
to delete-disable them, and if a user needs the account, you can be sure
they'll be callin to find out why their account is disabled.

Just as a side note--shouldn't your HR dept be notifying you of when people
leave so that you can disable the account?

::plink plink::

Ken
 
Unfortunately in Windows 2000 the last logon timestamp is not replicated
among domain controllers which is why you experience what you do. You would
have to run your report on all domain controllers to see what is going on
which may of course be very tedious if you have more than a few domain
controllers. As far as auditing you can only do it in an all or none fashion
for domain users. Auditing of "account logons" would have to be enabled in
Domain Controller Security Policy and then an account logon event will be
logged on the domain controller that authenticated the user. Event Comb
[free MS download] can be used to scan the security logs of multiple domain
controllers for specific Event ID's or text strings which can make that job
easier. The last logon timestamp does replicate On Windows 2003 domain
controllers. You could easily add all those users from your OU to a global
group and then add that group to "deny logon locally" for Domain Security
Policy to try to flush out any survivors. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;308471 --
EventComb.
 
Steven L Umbach2 said:
Unfortunately in Windows 2000 the last logon timestamp is not
replicated
among domain controllers which is why you experience what you
do. You would
have to run your report on all domain controllers to see what
is going on
which may of course be very tedious if you have more than a
few domain
controllers. As far as auditing you can only do it in an all
or none fashion
for domain users. Auditing of "account logons" would have to
be enabled in
Domain Controller Security Policy and then an account logon
event will be
logged on the domain controller that authenticated the user.
Event Comb
[free MS download] can be used to scan the security logs of
multiple domain
controllers for specific Event ID's or text strings which can
make that job
easier. The last logon timestamp does replicate On Windows
2003 domain
controllers. You could easily add all those users from your OU
to a global
group and then add that group to "deny logon locally" for
Domain Security
Policy to try to flush out any survivors. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;308471
--
EventComb.

lforbes said:
Hi,

I am currently cleaning out my Active Directory Database of old User
accounts. We have a high turnover so I have about 800 accounts marked
for deletion.

I ran a vbscript to list last logon, but for some reason the script
keeps coming up with different dates and doesn't seem accurate
depending on the DC authenticating.

I want to enable logon Auditing for the OU of users that are marked
for deletion. If they haven't logged in in a month I want to delete
them.

The problem is that I can only find how to enable Auditing via
computer and not user. I haven't done auditing before so I am sure I
am missing something. How Do I enable logon auditing for Only the 800
users in the one OU.

Thanks

Lara

--
Posted using the http://www.windowsforumz.com interface, at author's
request
Articles individually checked for conformance to usenet standards
Topic URL:
http://www.windowsforumz.com/Group-Policy-Auditing-Specific-Users-logons-ftopict261756.html
Visit Topic URL to contact author (reg. req'd). Report abuse:
http://www.windowsforumz.com/eform.php?p=814035
Click to expand...
Click to expand...

Hi,

Thanks. I just ended up disabling them and deleting them. The HR
dept. is definitely not organized enough to let me know. In a perfect
world --- =)

Thanks for the info on the Last login. I only have two DC’s so it
won’t take much to do.

Cheers,

Lara
 
Back
Top