Track Kerberos Tickets

[Guest]

is there a way (programatically prefered but utilities also welcomed) to
track and log kerberos Tickets issued by a Domain controller? is there any
API or something that I can use to list all tickets granted by a server
during a specific time?

I need this because I want to write a program that detects and removes
dead/unused computer accounts in AD .my idea was to track computer accounts
that had requested TGT during the past <some duration>,filtering them out
from other computers and deleting the rest.

any better idea to fulfill this goal is welcomed.of course I prefer that
idea to not involve in installing any client program on workstations.

 

[Ryan Hanisco]

Hi There...

If you are just looking to identify stale accounts, you can do this with
the lastLogonTimeStamp attribute. You can do a search for this with the
GUI in ADU&C, but this isn't an automated process.

I would suggest writing a script using ADSI that queries this attribute
and then takes an action. You'll want to be careful with this as you
would be deleting objects in an automated way. If you are feeling
frisky with ASP/ ASPX I would write a web page that identified these
stale accounts and allowed you to deselect accounts. Then you can make
that process part of your maintenance routines for your admins.

Note that the lastLogonTimeStamp is a 2003 attribute. Otherwise, you
will be tied to lastLogon, which is done on a per-DC basis.

If you need help with the scripting/ ASP let me know. And check out the
following article for more help:
http://www.microsoft.com/technet/scriptcenter/topics/win2003/lastlogon.mspx

Ryan Hanisco
Sr. Project Lead
FlagShip Integration Services
(e-mail address removed)