Re: force replication (lastLogonTimestamp)
- From: "Richard Mueller [MVP]" <rlmueller-nospam@xxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 26 Apr 2007 14:41:49 -0500
Cam wrote:
Is is possible to force AD properties (specifically lastLogonTimestamp) to
replicate?
Here is my situation. A script that runs once a week and uses
lastLogonTimestamp to indentify accounts that have not been logged into
for
30 days and disables them. Here is an example case based on the evidence I
have seen. On July 2, the script disables account_A. On July 4, the admin
enables the account so that account_A can log in. On July 9, the script
runs
again. Because lastLogonTimestamp replicates every 14 days, and because
the
script is looking at a different DC than account_A logged in to, the
script
sees an old lastLogonTimestamp and disables the account.
If I could force lastLogonTimestamp to replicate (rather than waiting for
the 14 days), then the script will always see the correct valus for
lastLogonTimestamp. Is there a way to do this, possibly by issuing a ADSI
command in VBScript?
Actually, lastLogonTimeStamp replicates like any other attribute. The
problem is that the value is not updated during logon unless the old value
is more than 14 days in the past. Forcing replication will not help you. You
need some way to force the system to update lastLogonTimeStamp when the user
logs on. Off hand I can't think if a way to do this. One solution is to not
run the script until 14 days after any accounts have been enabled. Another
is to use lastLogon instead, which would require querying every DC.
--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--
.
- Follow-Ups:
- Re: force replication (lastLogonTimestamp)
- From: Richard Mueller [MVP]
- Re: force replication (lastLogonTimestamp)
- Prev by Date: Re: User Logons
- Next by Date: Re: force replication (lastLogonTimestamp)
- Previous by thread: Re: User Logons
- Next by thread: Re: force replication (lastLogonTimestamp)
- Index(es):
Relevant Pages
|
