有没有办法找出用户在 Active Directory 中被禁用的日期? [英] Is there a way to find out the date a user was disabled in Active Directory?

问题描述

我目前正在使用 Active Directory，我需要知道某些帐户何时被禁用.有 last_modified(日期)属性，但我不确定在 AD 上启用/禁用帐户是否会触发对 last_modified 的更改.如果是，是否有其他属性在修改时也会改变它(可能是这种情况......)?

I'm currently working on Active Directory and I need to know when have certain accounts been disabled. There is the last_modified (a date) property but I'm not sure if enabling/disabling an account on AD triggers a change on last_modified. If yes, are there other properties that change it too when they are modified (which is probably the case...) ?

有没有办法通过检查属性或执行 cmd/powershell 脚本来确定帐户何时被禁用?

Is there a way to know for sure when an account has been disabled, either by checking a property or executing a cmd/powershell script ?

谢谢

推荐答案

种类.但它不会是 100% 可靠的.

Kind of. But it won't be 100% reliable.

要禁用帐户，更新 userAccountControl 属性.

To disable an account, the userAccountControl attribute is updated.

是的，更新 userAccountControl 将触发对 whenChanged 属性(上次修改"日期)的更新.

Yes, updating userAccountControl will trigger an update to the whenChanged attribute (the "last modified" date).

还有一个名为 msDS-ReplAttributeMetaData 的计算属性，只要在您的域中启用了该功能，它就会告诉您何时更改了属性.在这篇文章的帮助下，我把上次修改的userAccountControl 属性的代码放在一起拉出来(设置$username 为你要查看的账户名):

There is also a computed attribute called msDS-ReplAttributeMetaData that will tell you when attributes were changed, as long as that feature is enabled on your domain. With the help from this article, I put some code together to pull out the last time the userAccountControl attribute was changed (set $username to the name of the account you want to look at):

$username = "whatever"
$metaData = "<root>" + (Get-ADUser $username -Properties "msDS-ReplAttributeMetaData")."msDS-ReplAttributeMetaData".Replace([char]0," ") + "</root>"
$xmlmetaData = [XML]$metaData
$userAccountControlModified = ($xmlmetaData.root.DS_REPL_ATTR_META_DATA |
                               Where {$_.pszAttributeName -eq "userAccountControl" } |
                               Sort -Property ftimeLastOriginatingChange -Descending |
                               Select -First 1).ftimeLastOriginatingChange

但是，作为 userAccountControl 的文档显示，该属性是一个位标志，用于打开和关闭帐户的多个选项，而不仅仅是启用/禁用.

However, as the documentation for userAccountControl shows, that attribute is a bit flag that turns on and off several options for the account, not just enabled/disabled.

因此，虽然您可以获得 userAccountControl 上次更新的日期，但您不能保证那是帐户被禁用的时间.这些选项中的任何其他选项都可能是在禁用后设置的.

So while you can get the date the last time userAccountControl was updated, you cannot guarantee that's the time the account was disabled. It's possible that any other of those options were set after it was disabled.

这篇关于有没有办法找出用户在 Active Directory 中被禁用的日期?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！