Re: Last Login for Computer Accounts

Tech-Archive recommends: Fix windows errors by optimizing your registry

From: "Joe Richards [MVP]" <humorexpress@xxxxxxxxxxx>
Date: Thu, 18 Jan 2007 15:55:04 -0500

Maybe, depends on the VPN software, best to test it in your environment.

Computer accounts are tough as there is no guaranteed mechanism to find out if they aren't being used. That is why the tool won't let you just delete the accounts straight away, I recommend disabling them for a month or 4 and then if no one complains then delete them. This can still cause issues but probably won't.

Note that by default, oldcmp uses pwdLastSet (i.e. password age). To use last logon values you use the -llts switch which enables lastLogonTimeStamp. It does this because lastLogon isn't replicated.

joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net

---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm

MikeB wrote:

I am trying to clean up AD and using the oldcmp.exe script to check when a computer account was last logged in. I see about 200 accounts that haven't been logged in for a while.

I guess the question more relates to VPN and that if a client logs in thorugh VPN will AD see the computer account and update the last login time?

Prev by Date: Re: Determining who has access
Next by Date: Re: Last Login for Computer Accounts
Previous by thread: Re: Determining who has access
Next by thread: Re: Last Login for Computer Accounts
Index(es):
- Date
- Thread

Relevant Pages

Re: AD Computer Registrations
... It is looking at the logonTimeStamp Attribute which is updated during authentication of the computer account. ... Joe Richards Microsoft MVP Windows Server Directory Services ... dsquery comp -inactive 2 ...
(microsoft.public.windows.server.active_directory)
Remote VPN client cannot access all LAN resources
... On a SBS2k3 I always managed to connect a VPN client following: ... DNS Server pointing to SBS2k3 - no luck. ... At the logon or under local computer account the VPN connection to SBS2k3 ...
(microsoft.public.windows.server.sbs)
Re: Finding old computer accounts problem, dsquery and OldCmp.
... Joe Richards Microsoft MVP Windows Server Directory Services ... As for oldcmp, that I wrote, I can speak for days on it. ... That being said, if you are getting a report of an object with that password last set and last logon time stamp with that name, that is what it is seeing in the directory. ... Hardest thing to understand is the DN is wrong, a location that the computer account was moved from 2-3 weeks ago. ...
(microsoft.public.windows.server.active_directory)
Re: Is it possible to change computer sid on AD?
... which is one root cause of the difficulty with the other being ... Delete the old computer account, recreate the account with the same name. ... Joe Richards Microsoft MVP Windows Server Directory Services ... Author of O'Reilly Active Directory Third Edition ...
(microsoft.public.windows.server.security)
Re: Active Directory Computer Accounts
... Joe Richards Microsoft MVP Windows Server Directory Services ... Computer account passwords normally change every 30 days but that is ...
(microsoft.public.windows.server.active_directory)