Need to check the ages on the trusts in your forest?[1]
for /f "tokens=*" %i in (‘adfind -sc domainlist‘) do adfind -h %i -binenc -f "&(samaccounttype=805306370)(pwdlastset<={{CURRENT:-180d}})" canonicalname name pwdlastset -tdcd -csv -nodn -sort pwdlastset
joe
[1] If you don’t audit your trusts to see if they have gone stale, you certainly should. Just part of normal AD house keeping.
Another good blog joe. What I found interesting is looking at this entry and a similar one you posted a few years ago http://blog.joeware.net/2009/08/20/1684/
I like the samaccounttype here for the SAM_TRUST_ACCOUNT versus name=*$ (although that works fine too)
Thanks
Mike
Note that the single quotes around the “adfind -sc domainlist” should be standard command line single quotes, not the weird single quotes that for whatever reason are popping up. I originally pasted a command that absolutely works. Then, I thought, Live Writer must have converted it. But in editing the actual text of the blog I still can’t make it work right.
Pasting again in this comment to see if it gets screwed up:
for /f “tokens=*” %i in (‘adfind -sc domainlist’) do adfind -h %i -binenc -f “&(samaccounttype=805306370)(pwdlastset<={{CURRENT:-180d}})" canonicalname name pwdlastset -tdcd -csv -nodn -sort pwdlastset
Yep even posting a working command in comments doesn’t work… Note you know when something is screwing up in the quotes when you see something like
BLAH was unexpected at this time.
AdFind isn’t screwing up here, AdFind isn’t even getting executed.
Thanks Mike. I need to start searching and performing those links myself. This new version uses the “newer” domainlist shortcut which allows you to loop through all of the domains in the forest and perform the command. And I agree I like the samaccounttype better too. We all live and learn. 🙂