How do I generate a report to show the 'pwdlastset' attribute of computers in a domain? (NETIQKB33158)

  • 7733158
  • 02-Feb-2007
  • 19-Jun-2007

Resolution

goal
How do I generate a report to show the 'pwdlastset' attribute of computers in a domain?

fact
Directory and Resource Administrator 6.60

fact
Directory and Resource Administrator 7.x

fix

To gather the 'pwdlastset' attribute, the following methods can be used:

  • Directory and Resource Administrator Reporting tool -  a custom report can be created to gather the pwdLastSet property.  This value is written to the Computer table in the DRA Reporting tool.  The pwdLastSet information is only available when selecting to import Resource Information.
  • Use the DRA ADSI provider or Microsoft ADSI provider to gather this property for computers.  There are examples scripts available on the knowledge depot that performs this operation.  The two scripts, one using the NetIQ DRA ADSI provider and the other using the Microsoft ADSI provider, can be used to determine when a computer password was last changed. Both providers maintain the property called pwdLastSet for computer and user objects in Active Directory. However, the DRA ADSI provider maintains this value as a Date that can be retrieved using ordinary scripting techniques, but the LDAP provider returns the value as INTEGER8 which requires special handling in scripts. The two scripts enumerate computer accounts differently. The script using the LDAP provider performs a search for all computer objects in a domain, then binds to each computer applying the PasswordLastChanged method to determine when the computer password was last changed. The script using the DRA ADSI provider determines computers by enumerating the members of the group Domain Computers.

 



Additional Information

Formerly known as NETIQKB33158