Re: users' last-logon-timestamp

Tech-Archive recommends: Fix windows errors by optimizing your registry

Also, if you have that group nested, you can use the in chain matching rule
to recurse it. Otherwise memberOf will only match the direct members. The
in chain matching rule was added to AD in 2003 SP1 as I recall.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Richard Mueller [MVP]" <rlmueller-nospam@xxxxxxxxxxxxxxxxxxxx> wrote in
message news:ONJZs77fIHA.1184@xxxxxxxxxxxxxxxxxxxxxxx
An easy solution is to run the first LastLogon.vbs program I linked
earlier, and redirect the output to a text file. The output can be read
into a spread***. The program queries all DC's in the domain for the
largest value for each user and converts to a date/time in the current
time zone.

If you want to modify the program so it documents only the members of a
group (instead of all users) you could modify the filter used in the
second query (inside the "For k = 0 To UBound(arrstrDCs)" loop). Change
this statement:

strFilter = "(&(objectCategory=person)(objectClass=user))"

to this:

strFilter = "(memberOf=cn=Domain Admins,cn=Users,dc=MyDomain,dc=com)"

where you must specify the full Distinguished Name of the group you want
(after the "memberOf=").

--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--

"John" <John@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:52228169-97E0-49D1-901C-1201736BA515@xxxxxxxxxxxxxxxx
Joe,

Thank you and thank you.

It worked when I changed to lastlogon. Is there a way to run all members
of
one group such as doamin admins?




"Joe Kaplan" wrote:

You need to use lastLogon in your are not in 2K3 native mode. Flipping
that
setting in AD is what causes lastLogonTimestamp to get populated.

Also, lastLogonTimestamp is a "normal" date time, so you don't need to
do
any wierd conversion on it. LastLogon is the one that requires the
extra
conversion as it is stored as a 64 bit integer (a Windows FILETIME
structure).

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"John" <John@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:789C4C7C-B1FB-4B61-AAE3-1AC919380D32@xxxxxxxxxxxxxxxx
Great thanks.

Unfortunately, we are at windows 2000 native mode with mixed Windows
2000
and windows 2003 DCs.

I found this script:
_____________________
strUserDN = "cn=alice,cn=users,dc=a,dc=b,dc=local"
set objUser = GetObject("LDAP://"; & strUserDN)
set objLogon = objUser.Get("lastLogonTimestamp")
intLogonTime = objLogon.HighPart * (2^32) + objLogon.LowPart
intLogonTime = intLogonTime / (60 * 10000000)
intLogonTime = intLogonTime / 1440
WScript.Echo "Approx last logon timestamp: " & intLogonTime +
#1/1/1601#
_____________
when I run it, I got "Active Directory: The directory property cannot
be
found in the cache"

Can anyone help?

Thank you.


"Richard Mueller [MVP]" wrote:

John wrote:

I enabled the additional account info on the ADUC. I can see each
user's
last-logon-timestamp from Active Directory Users and computers. Is
there
a
way I can get report on users' last-logon-timestamp from AD instead
of
clicking each user to get it? (We are at windows 2000 native
functional
level with mixed windows 2000 and windows 2003 DCs)

I have two VBScript programs linked on this page to retrieve last
logon
dates:

http://www.rlmueller.net/Last%20Logon.htm

The first queries all DC's in the domain for lastLogon, the second
queries
one DC for lastLogonTimeStamp. However, I believe the domain must be
at
Windows Server 2003 functional level for the lastLogonTimeStamp
attribute
to
be available.

--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--










.

Quantcast