Re: Disabling old account script needed
- From: "Torgeir Bakken \(MVP\)" <Torgeir.Bakken-spam@xxxxxxxxx>
- Date: Tue, 05 Jul 2005 15:01:43 +0200
lforbes wrote:
Hi Paul,
Thanks for the tip about the saved queries. I didn't know about that feature. I learn something new with 2003 everyday.
By the way, I was told on these boards that up until Windows 2003 Native mode, the listlogin vbscript was per DC, but if in Windows 2003 Native Mode it is actually per domain. I have run it recently with 200 users and the login was the same regardless of the DC that I ran it on.
Hi Lara,
The Lastlogin attribute that you use in the script ListLastLogon.vbs at your web site is not replicated between the domain controllers, no matter what domain mode you have. This means that a different value for the user could be stored in every Domain Controller in the domain. You need to bind to each DC and determine the latest date.
The one that is replicated (but ONLY as long as the domain functional level is set to Windows Server 2003), is the LDAP property lastLogonTimestamp, but this value is only updated when the user logs in if a week has passed since the last update (so it is usable only to see if an account have been active on a weekly basis).
From the docs for lastLogonTimestamp:
http://msdn.microsoft.com/library/en-us/adschema/ad/adam_a_lastlogontimestamp.asp
<quote> Last-Logon-Timestamp This is the time that the user last logged into the domain. This value is only updated when the user logs in if a week has passed since the last update. This value is replicated. </quote>
http://www.microsoft.com/resources/documentation/WindowsServ/2003/enterprise/proddocs/en-us/dsadmin_concepts_accounts.asp
<quote> When the domain functional level has been set to Windows Server 2003, a new lastLogonTimestamp attribute is used to track the last logon time of a user or computer account. </quote>
The above is relevant for both user and computer accounts. Note the once a week update only part and the Windows Server 2003 domain functional level prerequisite.
Raise the domain functional level; Windows Server 2003 http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_changedomlevel.asp
Raising the Roof on Domain Functional Levels http://www.networking.earthweb.com/netos/article.php/3298531
-- torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway Administration scripting examples and an ONLINE version of the 1328 page Scripting Guide: http://www.microsoft.com/technet/scriptcenter/default.mspx .
- Follow-Ups:
- Re: Disabling old account script needed
- From: lforbes
- Re: Disabling old account script needed
- From: Jay Quadri
- Re: Disabling old account script needed
- References:
- Disabling old account script needed
- From: Jay Quadri
- Re: Disabling old account script needed
- From: Paul Bergson
- Re: Disabling old account script needed
- From: lforbes
- Disabling old account script needed
- Prev by Date: QOS Admission Control
- Next by Date: Disaster Recovery Site
- Previous by thread: Re: Disabling old account script needed
- Next by thread: Re: Disabling old account script needed
- Index(es):
Relevant Pages
|
Loading
