LastLogonTimeStamp

Hi,
I am trying to get rid of the 'stale accounts' in our Active Directory. I
read about the LastLogonTimeStamp from The Scripter Guy or Scripting Center
at
http://www.microsoft.com/technet/scr...lastlogon.mspx

I ran the script that came from this article. It returned an error that
seems to indicate that the attribute is not set or null. The error
description is "The directory property cannot be found in the cache."

Our AD was first created in Windows 2000, and then promoted to Win2k3. How
can I see the raw data about this attribute?
If it is not set how can I start capturing this data through this attribute?

The script is as follows:

Set objUser = GetObject("LDAP://CN=User Name,OU= Team 1,OU=Team
2,DC=xxx,DC=yyy,DC=zzzz")
Set objLastLogon = objUser.Get("lastLogonTimestamp")

intLastLogonTime = objLastLogon.HighPart * (2^32) + objLastLogon.LowPart
intLastLogonTime = intLastLogonTime / (60 * 10000000)
intLastLogonTime = intLastLogonTime / 1440

Wscript.Echo "Last logon time: " & intLastLogonTime + #1/1/1601#

"Lamborghini" <Lamborghini@discussions.microsoft.com> wrote in message
news:ABC9C792-41B4-4D38-9342-28EBCCA9F195@microsoft.com...
> Hi,
> I am trying to get rid of the 'stale accounts' in our Active Directory. I
> read about the LastLogonTimeStamp from The Scripter Guy or Scripting
> Center
> at
> http://www.microsoft.com/technet/scr...lastlogon.mspx
>
> I ran the script that came from this article. It returned an error that
> seems to indicate that the attribute is not set or null. The error
> description is "The directory property cannot be found in the cache."
>
> Our AD was first created in Windows 2000, and then promoted to Win2k3. How
> can I see the raw data about this attribute?
> If it is not set how can I start capturing this data through this
> attribute?
>
> The script is as follows:
>
> Set objUser = GetObject("LDAP://CN=User Name,OU= Team 1,OU=Team
> 2,DC=xxx,DC=yyy,DC=zzzz")
> Set objLastLogon = objUser.Get("lastLogonTimestamp")
>
> intLastLogonTime = objLastLogon.HighPart * (2^32) + objLastLogon.LowPart
> intLastLogonTime = intLastLogonTime / (60 * 10000000)
> intLastLogonTime = intLastLogonTime / 1440
>
> Wscript.Echo "Last logon time: " & intLastLogonTime + #1/1/1601#
>

You can use ADSI Edit to view the actual value, but it will be huge number
(or missing). The domain must be at W2k3 functional level for this attribute
to be available.

--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--

I have a large number of computer accounts that have NULL in the lastlogon attribute. The domain was originally Win 2000 and was upgraded to Win 2003. Are these older computers null because they have not logged on since the domain was upgraded?

"Bluenoser" <Bluenoser.3jht7d@DoNotSpam.com> wrote in message
news:Bluenoser.3jht7d@DoNotSpam.com...
>
> I have a large number of computer accounts that have NULL in the
> lastlogon attribute. The domain was originally Win 2000 and was
> upgraded to Win 2003. Are these older computers null because they have
> not logged on since the domain was upgraded?
>

The lastLogon attribute is not replicated, even if your domain is at W2k3
functional level. The lastLogonTimeStamp attribute is replicated. By default
computer account passwords are reset every 30 days. It may take that long
before the lastLogonTimeStamp attribute is populated. The lastLogon
attribute is only populated on the DC that authenticates the account. After
30 days if lastLogonTimeStamp is still not populated, either the computer is
not attached to the domain or the DC's are not replicating.

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--

Thanks very much for the response.

If I use ADSI to query the AD I don't think I have any way of knowing which DC returned the response. I have been using lastlogin which you say is not replicated. I checked lastlogontimestamp and all my computers are NULL, whereas a lot have a date in lastlogon.

It also looks like from your response that the lastLogonTimeStamp is only reliable for periods greater than 30 days. Is it a best practice to never assume a computer is inactive if that date is less than 30 days?

Thanks,
Brent

I think I understand the issue better now. lastlogon does not replicate. lastlogontimestamp is null because our AD is not a true native win2003 version yet.

Now my question is how do I direct an ADSI query to force a specific DC to respond so I can check the non-replicated attribute?

First, the lastLogonTimeStamp attribute is only updated during
authentication if the old value is more than 14 days (by default) in the
past. It's purpose is to find old unused accounts. The value is only
accurate within 14 days.

I have an example VBScript program that retrieves the lastLogon attribute
for all users in the domain linked here:

http://www.rlmueller.net/Last%20Logon.htm

This program uses ADO to query AD for the attribute values. As demonstrated
in this program you can specify which specific DC is queried by including
the DNS name of the DC in the binding string (or in this case, the base of
the ADO query). Ordinarily this is not wise, as you usually don't care which
DC responds, but this becomes necessary if the attribute is not replicated.
For example, in VBScript to bind to a user object you might use a binding
string similar to:

Set objUser = GetObject("LDAP://cn=Jim Smith,ou=West,dc=MyDomain,dc=com")

To bind to the copy of that object on a specific DC called MyServer you
could use:

Set objUser = GetObject("LDAP://MyServer.MyDomain.com/cn=Jim
Smith,ou=West,dc=MyDomain,dc=com")

The program I linked above retrieves the names of all DC's in the domain
from the Configuration container, then queries each DC for the lastLogon
attribute of all users. A dictionary object keeps track of the largest
(latest) value for each user.

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--

"Bluenoser" <Bluenoser.3ji1jd@DoNotSpam.com> wrote in message
news:Bluenoser.3ji1jd@DoNotSpam.com...
>
> I think I understand the issue better now. lastlogon does not
> replicate. lastlogontimestamp is null because our AD is not a true
> native win2003 version yet.
>
> Now my question is how do I direct an ADSI query to force a specific DC
> to respond so I can check the non-replicated attribute?
>
>
> --
> Bluenoser
> ------------------------------------------------------------------------
> Bluenoser's Profile: http://forums.techarena.in/members/bluenoser.htm
> View this thread: http://forums.techarena.in/server-scripting/704739.htm
>
> http://forums.techarena.in
>

Thank you very much for taking the time to look at this. I have it working great now thanks to your help.