Active Directory Last Logon Tools

Active Directory Last Logon Tools

I was looking for some tools that will enable you to see when last a person have used there user ID to login toe your domain. This is helpful to find out account of people that might have left the company.

In my search I have come past a couple of programs and script that can do this.
The first program I fount is called True Last Login. It works very well and you can download a freeware version with some limitations.
The second program is called Inactive Users Tracker. It will also search your domain en display a list of last login user ID.

The other way to do this is to use a VBscript. There is a couple of them out there, some work better then others. The one that I found that works the best so far is the one I found Here.
Below is the script in case the link above does not work.
Just copy and path the text below into a text document and rename it to lastlogin.vbs
Then run the following command in command prompt. This will redirect the output to a text file.
cscript //nologo lastlogint.vbs > output.txt

‘ LastLogon.vbs
‘ VBScript program to determine when each user in the domain last logged
‘ on.
‘
‘ ———————————————————————-
‘ Copyright (c) 2002 Richard L. Mueller
‘ Hilltop Lab web site – http://www.rlmueller.net
‘ Version 1.0 – December 7, 2002
‘ Version 1.1 – January 17, 2003 – Account for null value for lastLogon.
‘ Version 1.2 – January 23, 2003 – Account for DC not available.
‘ Version 1.3 – February 3, 2003 – Retrieve users but not contacts.
‘ Version 1.4 – February 19, 2003 – Standardize Hungarian notation.
‘ Version 1.5 – March 11, 2003 – Remove SearchScope property.
‘ Version 1.6 – May 9, 2003 – Account for error in IADsLargeInteger
‘ property methods HighPart and LowPart.
‘ Version 1.7 – January 25, 2004 – Modify error trapping.
‘ Version 1.8 – July 6, 2007 – Modify how IADsLargeInteger interface
‘ is invoked.
‘
‘ Because the lastLogon attribute is not replicated, every Domain
‘ Controller in the domain must be queried to find the latest lastLogon
‘ date for each user. The lastest date found is kept in a dictionary
‘ object. The program first uses ADO to search the domain for all Domain
‘ Controllers. The AdsPath of each Domain Controller is saved in an
‘ array. Then, for each Domain Controller, ADO is used to search the
‘ copy of Active Directory on that Domain Controller for all user
‘ objects and return the lastLogon attribute. The lastLogon attribute is
‘ a 64-bit number representing the number of 100 nanosecond intervals
‘ since 12:00 am January 1, 1601. This value is converted to a date. The
‘ last logon date is in UTC (Coordinated Univeral Time). It must be
‘ adjusted by the Time Zone bias in the machine registry to convert to
‘ local time.
‘
‘ You have a royalty-free right to use, modify, reproduce, and
‘ distribute this script file in any way you find useful, provided that
‘ you agree that the copyright owner above has no warranty, obligations,
‘ or liability for such use.

Option Explicit

Dim objRootDSE, strConfig, adoConnection, adoCommand, strQuery
Dim adoRecordset, objDC
Dim strDNSDomain, objShell, lngBiasKey, lngBias, k, arrstrDCs()
Dim strDN, dtmDate, objDate, objList, strUser
Dim strBase, strFilter, strAttributes, lngHigh, lngLow

‘ Use a dictionary object to track latest lastLogon for each user.
Set objList = CreateObject(”Scripting.Dictionary”)
objList.CompareMode = vbTextCompare

‘ Obtain local Time Zone bias from machine registry.
Set objShell = CreateObject(”Wscript.Shell”)
lngBiasKey = objShell.RegRead(”HKLM\System\CurrentControlSet\Control\” _
& “TimeZoneInformation\ActiveTimeBias”)
If (UCase(TypeName(lngBiasKey)) = “LONG”) Then
lngBias = lngBiasKey
ElseIf (UCase(TypeName(lngBiasKey)) = “VARIANT()”) Then
lngBias = 0
For k = 0 To UBound(lngBiasKey)
lngBias = lngBias + (lngBiasKey(k) * 256^k)
Next
End If

‘ Determine configuration context and DNS domain from RootDSE object.
Set objRootDSE = GetObject(”LDAP://RootDSE”)
strConfig = objRootDSE.Get(”configurationNamingContext”)
strDNSDomain = objRootDSE.Get(”defaultNamingContext”)

‘ Use ADO to search Active Directory for ObjectClass nTDSDSA.
‘ This will identify all Domain Controllers.
Set adoCommand = CreateObject(”ADODB.Command”)
Set adoConnection = CreateObject(”ADODB.Connection”)
adoConnection.Provider = “ADsDSOObject”
adoConnection.Open “Active Directory Provider”
adoCommand.ActiveConnection = adoConnection

strBase = “”
strFilter = “(objectClass=nTDSDSA)”
strAttributes = “AdsPath”
strQuery = strBase & “;” & strFilter & “;” & strAttributes & “;subtree”

adoCommand.CommandText = strQuery
adoCommand.Properties(”Page Size”) = 100
adoCommand.Properties(”Timeout”) = 60
adoCommand.Properties(”Cache Results”) = False

Set adoRecordset = adoCommand.Execute

‘ Enumerate parent objects of class nTDSDSA. Save Domain Controller
‘ AdsPaths in dynamic array arrstrDCs.
k = 0
Do Until adoRecordset.EOF
Set objDC = _
GetObject(GetObject(adoRecordset.Fields(”AdsPath”).Value).Parent)
ReDim Preserve arrstrDCs(k)
arrstrDCs(k) = objDC.DNSHostName
k = k + 1
adoRecordset.MoveNext
Loop
adoRecordset.Close

‘ Retrieve lastLogon attribute for each user on each Domain Controller.
For k = 0 To Ubound(arrstrDCs)
strBase = “”
strFilter = “(&(objectCategory=person)(objectClass=user))”
strAttributes = “distinguishedName,lastLogon”
strQuery = strBase & “;” & strFilter & “;” & strAttributes _
& “;subtree”
adoCommand.CommandText = strQuery
On Error Resume Next
Set adoRecordset = adoCommand.Execute
If (Err.Number <> 0) Then
On Error GoTo 0
Wscript.Echo “Domain Controller not available: ” & arrstrDCs(k)
Else
On Error GoTo 0
Do Until adoRecordset.EOF
strDN = adoRecordset.Fields(”distinguishedName”).Value
On Error Resume Next
Set objDate = adoRecordset.Fields(”lastLogon”).Value
If (Err.Number <> 0) Then
On Error GoTo 0
dtmDate = #1/1/1601#
Else
On Error GoTo 0
lngHigh = objDate.HighPart
lngLow = objDate.LowPart
If (lngLow < 0) Then
lngHigh = lngHigh + 1
End If
If (lngHigh = 0) And (lngLow = 0 ) Then
dtmDate = #1/1/1601#
Else
dtmDate = #1/1/1601# + (((lngHigh * (2 ^ 32)) _
+ lngLow)/600000000 – lngBias)/1440
End If
End If
If (objList.Exists(strDN) = True) Then
If (dtmDate > objList(strDN)) Then
objList.Item(strDN) = dtmDate
End If
Else
objList.Add strDN, dtmDate
End If
adoRecordset.MoveNext
Loop
adoRecordset.Close
End If
Next

‘ Output latest lastLogon date for each user.
For Each strUser In objList.Keys
Wscript.Echo strUser & ” ; ” & objList.Item(strUser)
Next

‘ Clean up.
adoConnection.Close
Set objRootDSE = Nothing
Set adoConnection = Nothing
Set adoCommand = Nothing
Set adoRecordset = Nothing
Set objDC = Nothing
Set objDate = Nothing
Set objList = Nothing
Set objShell = Nothing

Or you can just download this file (rename to a .zip file)

If you know of any other or beter way to do this please let me know.

Export Active Directory Group members list

I found this script a while back. It will create a list of all the Groups and there members in your Active directory domain. Just copy the text below into an empty text document and rename to something like GetGroupMembers.vbs .

Dim sResultText,Grps,MemberList
Dim oRootDSE, oConnection, oCommand, oRecordSet
Set oRootDSE = GetObject(”LDAP://rootDSE”)
Set oConnection = CreateObject(”ADODB.Connection”)
oConnection.Open “Provider=ADsDSOObject;”
Set objCommand = CreateObject(”ADODB.Command”)
objCommand.ActiveConnection = oConnection

ldstring = “;”

objCommand.CommandText=ldstring & “(objectClass=group);name,SamAccountName”

Set oRecordSet = objCommand.Execute()
Do While Not oRecordSet.EOF
sResultText = sResultText & oRecordSet.Fields(”samAccountName”) & vbCrLf
‘WScript.Echo oRecordSet.Fields(”samAccountName”) & vbCrLf
MemberList=RetrieveUsers(dom,oRecordSet.Fields(”samAccountName”))
‘WScript.Echo Memberlist
sResultText = sResultText & memberlist & vbCrLf & “************************************” & vbCrLf

oRecordSet.MoveNext
Loop
‘Wscript.Echo sResultText

Set fso = CreateObject(”Scripting.FileSystemObject”)
Set ts = fso.CreateTextFile (dom & “DomainGroupUsers.txt”, ForWriting)
ts.write sResultText
MsgBox “Done”

‘*****************************************************************************************
‘*****************************************************************************************
Function RetrieveUsers(domainName,grpName)

dim dom
dim grp
dim GrpObj
dim mbrlist
dim mbr

‘——————————————————————————-
‘ *** Enumerate Group Members ***
‘——————————————————————————-

grp = grpName
Set objDomain = getObject(”LDAP://rootDse”)
domainName = objDomain.Get(”dnsHostName”)
‘ Build the ADSI query and retrieve the group object
Set GrpObj = GetObject(”WinNT://” & domainName & “/” & grp & “,group”)

‘ Loop through the group membership and build a string containing the names
for each mbr in GrpObj.Members
On error resume next
mbremail = SearchEmail(mbr.name)
If Err Then
mbrlist = mbrlist & vbTab & mbr.name & vbCrLf
Else
‘if you don’t want the email addresses, then copy the line 2 up to below
mbrlist = mbrlist & vbTab & mbr.name & vbTab & vbTab & mbremail+ vbCrLf
End If
Next

‘The next line returns mbrlist back up to the main body
RetrieveUsers=mbrlist

End Function

Public Function SearchEmail(ByVal vSAN)
‘ Function: SearchDistinguishedName
‘ Description: Searches the DistinguishedName for a given SamAccountName
‘ Parameters: ByVal vSAN – The SamAccountName to search
‘ Returns: The DistinguishedName Name
Dim oRootDSE, oConnection, oCommand, oRecordSet

Set oRootDSE = GetObject(”LDAP://rootDSE”)
Set oConnection = CreateObject(”ADODB.Connection”)
oConnection.Open “Provider=ADsDSOObject;”
Set oCommand = CreateObject(”ADODB.Command”)
oCommand.ActiveConnection = oConnection
oCommand.CommandText = ”
“>;(&(objectCategory=User)(samAccountName=” & vSAN & “));mail;subtree”
Set oRecordSet = oCommand.Execute
On Error Resume Next
SearchEmail = oRecordSet.Fields(”mail”)
On Error GoTo 0
oConnection.Close
Set oRecordSet = Nothing
Set oCommand = Nothing
Set oConnection = Nothing
Set oRootDSE = Nothing
End Function

Double click on the new created file and give it a few moments (Depends on the size and number of groups in your domain). There is no display while it is running. After is completed that will be a text file with all the information is. You can the import this file in to excel.

Download the script Here (Rename the file to a .zip )

Enabling Multiple Remote Desktop Sessions in Windows XP Professional and Media Center Edition 2005

If you have ever used a real remote computer system like Citrix, then you have probably been craving multiple Remote Desktop sessions since you first fired up Windows XP Professional and/or Media Center Edition. Here is a HACK (translated: USE AT YOUR OWN RISK), to enable multiple Remote Desktop sessions on your XP Pro or MCE 2005 box:

NOTE: You will have to have knowledge of the Windows operating system and more specifically the Windows Registry. If you have no experience with the registry, then I would recommend you find someone who does or leave these alone. I do not make any kind of warranty that this will work for you or your friends. This is provided for entertainment purposes only. Don’t call me if your computer stops working. Got it?

1. Print these directions so that you have them to work from.
2. Restart your computer in Safe Mode
3. Turn off/disable Remote Desktop Connection (RDC) and Terminal Services

1. Right click My Computer
2. Select Properties
3. Click on the Remote tab at the top of the window
4. UNCHECK the box next to, “Allow users to connect remotely to this computer“
5. Click OK
6. Go to Start -> Control Panel -> Administrative Tools -> Services
7. Find Terminal Services in the list
8. Right click on Terminal Services and click Properties
9. In the Startup Type box, select Disabled
10. Click OK to close the window

# Next you will replace the current version of the Terminal Services DLL (termsrv.dll) ( Or Here )with an unrestricted version from a previous release of Terminal Services.

1. Here is a copy of the Terminal Services DLL – Save it to your Desktop or other suitable location
2. Using a file manager like Windows Explorer open C:\Windows\system32\dllcache
3. Rename the file termsrv.dll to termsrv_dll.bak or whatever you would like.
4. Copy the downloaded termsrv.dll file (the one you just downloaded from the web) to C:\Windows\system32\dllcache
5. Open the C:\Windows\system32 folder
6. Delete the file termsrv.dll in C:\Windows\system32

# Now we can edit the Windows Registry to enable more than one RDP connection. Go to Start -> Run and type regedit – Hopefully you knew that already
# Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Licensing Core
# Add a DWORD Key named EnableConcurrentSessions and give it a value of 1
# Close the Registry Editor window
# Go to Start -> Run and type gpedit.msc to run the Group Policy Editor
# Browse to Computer Configuration -> Administrative Templates -> Windows Components -> Terminal Services and double click Limit number of connections
# Select the Enabled button and enter the number of connections you would like to enable….at least 2.
# Restart Windows
# Right click My Computer and select Properties.
# Click on the Remote tab at the top of the window
# CHECK the box next to, “Allow users to connect remotely to this computer“
# Click OK
# Go to Start -> Control Panel ->Administrative Tools -> Services. Select Terminal Services from the list and double click it or right-click -> Properties. Set the Startup Type to Manual.
#
# Restart Windows/Computer

You should be good to go.

Source: http://www.golod.com/2005/10/enabling-multiple-remote-desktop-sessions-in-windows-xp-professional-and-media-center-edition-2005/

DMA reverts to PIO

Quick solution

If you’re not interested in the details, but just want to fix this problem as quickly as possible:

1. Created a new text file and paste the information below into this file. Rename the file to resetdma.vbs
2. Run resetdma.vbs
3. Despite any warnings click on the [Open] or [Execute] buttons as required to execute the file resetdma.vbs. (If you fear that this web site could be malevolent, you can use the manual method instead, which is described below. Or you could download, save, and inspect the program with an editor like the Windows Notepad. It is a script text file.)
4. If the program found any ATA channel to reset, reboot your computer and test all drives.
5. If the problem is still not solved, set the offending channel to PIO manually, reboot your computer, set the channel back to DMA, and reboot again.

resetdma.vbs

‘ Visual Basic Script program to reset the DMA status of all ATA drives

‘ Copyright © 2006 Hans-Georg Michna

‘ Version 2007-04-04

‘ Works in Windows XP, probably also in Windows 2000 and NT.
‘ Does no harm if Windows version is incompatible.

If MsgBox(“This program will now reset the DMA status of all ATA drives with Windows drivers.” _
& vbNewline & “Windows will redetect the status after the next reboot, therefore this procedure” _
& vbNewline & “should be harmless.”, _
vbOkCancel, “Program start message”) _
= vbOk Then

RegPath = “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E96A-E325-11CE-BFC1-08002BE10318}\”
ValueName1Master = “MasterIdDataChecksum”
ValueName1Slave = “SlaveIdDataChecksum”
ValueName2Master = “UserMasterDeviceTimingModeAllowed”
ValueName2Slave = “UserSlaveDeviceTimingModeAllowed”
ValueName3 = “ResetErrorCountersOnSuccess”
MessageText = “The following ATA channels have been reset:”
MessageTextLen0 = Len(MessageText)
ConsecutiveMisses = 0
Set WshShell = WScript.CreateObject(“WScript.Shell”)

For i = 0 to 999
RegSubPath = Right(“000” & i, 4) & “\”

‘ Master

Err.Clear
On Error Resume Next
WshShell.RegRead RegPath & RegSubPath & ValueName1Master
errMaster = Err.Number
On Error Goto 0
If errMaster = 0 Then
On Error Resume Next
WshShell.RegDelete RegPath & RegSubPath & ValueName1Master
WshShell.RegDelete RegPath & RegSubPath & ValueName2Master
On Error Goto 0
MessageText = MessageText & vbNewLine & “Master”
End If

‘ Slave

Err.Clear
On Error Resume Next
WshShell.RegRead RegPath & RegSubPath & ValueName1Slave
errSlave = Err.Number
On Error Goto 0
If errSlave = 0 Then
On Error Resume Next
WshShell.RegDelete RegPath & RegSubPath & ValueName1Slave
WshShell.RegDelete RegPath & RegSubPath & ValueName2Slave
On Error Goto 0
If errMaster = 0 Then
MessageText = MessageText & ” and ”
Else
MessageText = MessageText & vbNewLine
End If
MessageText = MessageText & “Slave”
End If

If errMaster = 0 Or errSlave = 0 Then
On Error Resume Next
WshShell.RegWrite RegPath & RegSubPath & ValueName3, 1, “REG_DWORD”
On Error Goto 0
ChannelName = “unnamed channel ” & Left(RegSubPath, 4)
On Error Resume Next
ChannelName = WshShell.RegRead(RegPath & RegSubPath & “DriverDesc”)
On Error Goto 0
MessageText = MessageText & ” of ” & ChannelName & “;”
ConsecutiveMisses = 0
Else
ConsecutiveMisses = ConsecutiveMisses + 1
If ConsecutiveMisses >= 32 Then Exit For ‘ Don’t search unnecessarily long.
End If
Next ‘ i

If Len(MessageText) <= MessageTextLen0 Then
MessageText = “No resettable ATA channels with Windows drivers found. Nothing changed.”
Else
MessageText = MessageText & vbNewline _
& “Please reboot now to reset and redetect the DMA status.”
End If

MsgBox MessageText, vbOkOnly, “Program finished normally”

End If ‘ MsgBox(…) = vbOk

‘ End of Visual Basic Script program

Source: http://winhlp.com/node/10

Updating virus definitions for Symantec AntiVirus Corporate Edition

To copy an .xdb file to a Symantec AntiVirus client

• Copy the .xdb file to the correct folder, depending on the program version:
  • For clients that run Windows 2003/XP/2000, the default folder is one of the following:
    • C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\
    • C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\

      The Application Data folder may be hidden.

  • For clients that run Windows 98/Me, the following is the default folder:
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\ or C:\Program Files\Symantec AntiVirus\
  • For clients that run Windows NT 4.0, the following is the default folder:
    C:\WinNT\Profiles\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\

Source: http://service1.symantec.com/support/ent-security.nsf/docid/2002103012571948

2007 Spell Check Not working

Start Regedit and goto the following key:
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Proofing
Tools\1.0\Override\en-US

I had 2 entries (DLL and LEX) pointing to non-existing files.

Rename these to oldDLL and oldLEX.

After this change all Spell Checking worked normal again.

Source: http://help.lockergnome.com/office/2007-Spell-Check-working-ftopict928009.html

Global address not updating under Outlook cache mode

n cached mode, users will appear the next morning. Exchange rebuilds the Offline address book at 4am(i think). If you want to force a manual update..

Expand Recipients, click on Offline Address List. Right click on Default Offline Address List in the right pane. Click Rebuild. The Rebuild could take some time depending on how many users you have.

To get the new users to appear in outlook once the rebuild has been done: Open Outlook, Click Tools –> Send/Receive –> Download Address Book. Then place a check in Download Changes since last Send/Receive. Click OK. The new OAL will download.

Source: http://forums.msexchange.org/m_1800427039/mpage_1/key_/tm.htm#1800427039

How to block IP address ranges in uTorrent – using ipfilter.dat

In case that you experience lots of hash fails in your uTorrent client, or just simply want to filter out suspicious IP addresses, you should use an IP blocklist.

Here is how:

1. Download an appropriate IP blocklist. The file will be saved in .gz format, therefore you will have to unzip it. The result is a file called “ipfilter.dat”, that is the IP blocklist.

2. Copy/paste the ipfilter.dat file into your %appdata%\utorrent folder. This folder looks like “C:\Documents and Settings\<your Windows username>\Application Data\uTorrent”.

3. Start uTorrent, go into Options -> Preferences -> Advanced, set the ipfilter.enable option to True and hit Apply/OK.

If you have successfully executed the above steps, then on the Logger tab of uTorrent, you should see something like “Loaded ipfilter.dat (xxxx entries). If you see there “0 entries”, then something went wrong.

You can reload the list without restarting uTorrent, by simply setting the ipfilder.enable option to False/OK and then True/OK.

The same ipfilter.dat file can also be used in your eMule client.

Source : http://decoding.wordpress.com/2007/05/24/how-to-block-ip-address-ranges-in-utorrent-using-ipfilterdat/

Very slow download from Updates from Microsoft

BITS uses idle system time. If your machine is too busy it’ll take forever
to download. Try setting the BITS foreground bit like this:

WsusDebugTool.exe /Tool:SetForegroundDownload

Source: http://forums.techarena.in/server-update-service/233749.htm#post865019

How To View and Kill Processes On Remote Windows Computers

Windows provides several methods to view processes remotely on another computer. Terminal Server is one way or you can use the command line utility pslist from Microsoft Sysinternals site. While both options are good alternatives, Windows XP and Vista provides a built in utility for viewing and killing process on remote Computers using Tasklist and Taskkill commands.

Both tasklist.exe and taskkill,exe can be found in %SYSTEMROOT%\System32 (typically C:\Windows\System32) directory.

To view processes on a remote Computer in your home, you will need to know the username and password on the Computer you want to view the processes. Once you have the user account information, the syntax for using tasklist follows:

tasklist.exe /S SYSTEM /U USERNAME /P PASSWORD

(To view all tasklist options, type tasklist /? at the command prompt)

To execute, click on Start \ Run… and in the run window type cmd to open a command prompt. Then type the tasklist command, substituting SYSTEM for the remote computer you want to view processes, USERNAME and PASSWORD with an account/password on the remote Computer.

(NOTE: if you are in a Domain environment and have Administrator rights to the remote Computer, you will may not need to specify a Username and Password)

tlist1.png

Now if there was a process that needed to be killed, you can use the taskill command. As with tasklist, you will also need the Username and Passoword on the remote Computer. The syntax for using taskkill is

taskkill.exe/S SYSTEM /U USERNAME /P PASSWORD /IM PROCESS

(To view all taskkill options, type tasklll /? at the command prompt)

Where SYSTEM, USERNAME, PASSWORD is the same as above for the tasklist command, and IM is the process image name you want to kill. In the above screen shot we will kill firefox.exe by typing the following at the command prompt:

taskkill.exe /S wtn1 /U joe /P ddd1234 /IM firefox.exe
SUCCESS: The process “firefox.exe” with PID 196 has been terminated

You can also kill a process using the PID (Process ID) of the process. In the above example the PID for firefox.exe is 196:

taskkill.exe /S wtn1 /U joe /P ddd1234 /PID 196

If the process does not terminate, you can use /F to forcefully terminate the process.

taskkill.exe /S wtn1 /U joe /P ddd1234 /PID 196 /F

Source: http://www.watchingthenet.com/how-to-view-and-kill-processes-on-remote-windows-computers.html