OldCmp V01.05.00cpp Joe Richards (joe@joeware.net) December 2004
Usage:
OldCmp [switches]
Switches: (designated by - or /)
-report Write report of objects
-disable Disable objects
-delete Delete objects
Delete will only work on disabled objects.
-move Move objects, use with newparent.
-newparent xx DN for a new parent to move objects to. Can be used
with move or disable options.
-stamp When used with delete w/ expire account as well
The idea being you can see the date it was done then.
-safety x How many objects to modify. (Default 10)
With this set, stops updating after x mods.
I did this because it is very easy to hurt yourself.
-unsafe Update ALL of the objects identified.
-forreal REALLY MAKE THE MODS, this is the final safety.
-h host Host to use. (Default is to autofind DC)
-s scope Scope of search. OneLevel, Subtree. (Default Subtree)
-b basedn RFC 1779 DN to start search at (Default domain root)
-users Work on users instead of computers.
-realage Filters out computers/users that have not set their
password (or haven't logged on when llts specified).
-f filter RFC 2254 LDAP filter (Default is confusing :)
-af addon RFC 2254 LDAP filter to add to builtin filter
-excldn xx Exclude objects with given string in DN. Multiple
strings delimted by semi-colon (;).
-excldndelim x Specify a delimiter for -excldn, default is (;).
-t xxx Timeout value in seconds. (Default 300 seconds)
-bit Bitwise operator filter conversion enable
:AND:= converts to :1.2.840.113556.1.4.803:=
:OR:= converts to :1.2.840.113556.1.4.804:=
-ps size Page size. (Default 100)
-nodc Exclude DCs from queries
-norefer No LDAP referrals
-onlydisabled Only disabled accounts (Default All)
-age x Min Days Old for password age. (Default 90 days)
-maxage x Max Days Old for password age. (Default Infinity)
-llts If K3 domain in Domain Functional mode uses
lastLogonTimeStamp instead of pwdLastSet for age options.
-format x Report Format (Default HTML)
CSV - Delimited Text
HTML - Standard HTML
DHTML - Dynamic HTML (IE Only)
-sh Will autodisplay HTM/HTML/TXT files after run
-file x File to write to. (Default oldcmp-.htm
-append Append to file instead of overwrite
-delim x Delimiter for CSV. (Default ;)
Specify TAB for \t (tab character)
-nolc Do not normalize machine names to lc - RAW Case
-nohtmlheader Don't insert base HTML (title, body...)
-sort x Sort by various fields.
-rsort x Reverse Sort by various fields.
cn = name
pwage = password age
age = object age
OS = operating system version
LLTS = lastLogonTimestamp
Ex1:
oldcmp /?
Display this help
Ex2a:
oldcmp -report
Generate html report of all cmpaccs > 90 days old
Ex2a:
oldcmp -report -format dhtml -sh
Generate dhtml report of all cmpaccs > 90 days old
Open the report after generating it
Ex2c:
oldcmp -report -format csv
Generate csv report of all cmpaccs > 90 days old
Ex3a:
oldcmp -report -age 0
Generate html report of all cmpaccs
Ex3b:
oldcmp -report -age 0 -format csv -delim tab
Generate csv (tab delimited) report of all cmpaccs
Ex4:
oldcmp -report -age 0 -onlydisabled
Generate html report of all disabled cmpaccs
Ex5:
oldcmp -report -age 0 -onlydisabled -sort cn
Generate html report of all disabled cmpaccs, sort on name
Ex6:
oldcmp -delete -age 0 -onlydisabled
Generate html report of all disabled cmpaccs, sort on pwage
Will show you what it would try to delete. Only up to 10.
Ex7:
oldcmp -delete -age 0 -onlydisabled -safety 100
Generate html report of all disabled cmpaccs, sort on pwage
Will show you what it would try to delete. Only up to 100.
Ex8:
oldcmp -delete -age 0 -onlydisabled -unsafe
Generate html report of all disabled cmpaccs, sort on pwage
Will show you what it would try to delete. All cmpaccs.
Ex9:
oldcmp -delete -age 0 -onlydisabled -unsafe -forreal
Generate html report of all disabled cmpaccs, sort on pwage
Will REALLY DELETE all accounts identified.
Ex10:
oldcmp -disable -unsafe -forreal
Generate html report of all cmpaccs > 90 days, sort on pwage
Will REALLY DISABLE all accounts identified.
Ex11:
oldcmp -report -sort OS -age 0 -maxage 60
Generate html report of all cmpaccs still valid, sort on OS
Ex12:
oldcmp -report -af "(operatingsystem=Windows XP Professional)" -onlydisabled -age 0
Generate html report of all disabled Windows XP machines
Ex13:
oldcmp -report -b ou=mycmps,dc=domain,dc=com
Generate html report of cmpaccs >90 days in specified OU
Note: This tool is VERY POWERFUL and could be VERY DANGEROUS!
I put a lot of safety locks in it ON PURPOSE!!!
This thing can be used for quite a bit of different computer
auditing if you know what you are doing.
Thanks to many of the members of the activedir.org listserv. Lots
of good feedback came in from them when they betatested this tool
for me. Special thanks to Ryan Durant and Bob Free for helping me
with the DHTML option. It wouldn't have made it this soon without
that needed assistance. Thanks everyone!
This software is Freeware. Use it as you wish at your own risk.
If you have improvement ideas, bugs, or just wish to say Hi, I
receive email 24x7 and read it in a semi-regular timeframe.
You can usually find me at joe@joeware.net