Re: LastLogon time
- From: "Joe Richards [MVP]" <humorexpress@xxxxxxxxxxx>
- Date: Tue, 18 Jul 2006 00:42:41 -0400
Yep, just as Richard indicates. This is a pretty popular question that we have been answering for some time. Do a google on the term msDS-LogonTimeSyncInterval and you should find quite a few hits including at least one hit at RegHacks (Jerold's site) about it though googles indexing of the groups as of late has seemed a bit off.
The lowest you can reduce it to in AD is 1 day and you should be very aware of the impact that could have on your replication infrastructure. There is a good reason why lastLogon wasn't replicated and lastLogonTimeStamp was set to update only every 14 days.
Under ADAM this default is changed in a different way and can be reduced to 0 which means update every authentication. But then ADAM auth is always for direct LDAP directory access only, whereas domain auths occur throughout the day automatically.
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
============================================================================
Do not read this worthless blog entry on
Defending Security Infrastructures http://blog.joeware.net/2006/07/11/445/
I'm serious, you will learn absolutely nothing about
Defending Security Infrastructures.
============================================================================
kj wrote:
Richard,.
Can this be 14 days be changed, supported or otherwise?
Ever since it was documented in 2003's release I've been trying to answer this question.
- Follow-Ups:
- Re: LastLogon time
- From: kj
- Re: LastLogon time
- Prev by Date: Re: LastLogon time
- Next by Date: logon script and dfs.
- Previous by thread: Re: LastLogon time
- Next by thread: Re: LastLogon time
- Index(es):
Relevant Pages
|
