Results 1 to 8 of 8

Thread: LastLogonTimeStamp

  1. #1
    Lamborghini Guest

    LastLogonTimeStamp

    Hi,
    I am trying to get rid of the 'stale accounts' in our Active Directory. I
    read about the LastLogonTimeStamp from The Scripter Guy or Scripting Center
    at
    http://www.microsoft.com/technet/scr...lastlogon.mspx

    I ran the script that came from this article. It returned an error that
    seems to indicate that the attribute is not set or null. The error
    description is "The directory property cannot be found in the cache."

    Our AD was first created in Windows 2000, and then promoted to Win2k3. How
    can I see the raw data about this attribute?
    If it is not set how can I start capturing this data through this attribute?

    The script is as follows:

    Set objUser = GetObject("LDAP://CN=User Name,OU= Team 1,OU=Team
    2,DC=xxx,DC=yyy,DC=zzzz")
    Set objLastLogon = objUser.Get("lastLogonTimestamp")

    intLastLogonTime = objLastLogon.HighPart * (2^32) + objLastLogon.LowPart
    intLastLogonTime = intLastLogonTime / (60 * 10000000)
    intLastLogonTime = intLastLogonTime / 1440

    Wscript.Echo "Last logon time: " & intLastLogonTime + #1/1/1601#


  2. #2
    Richard Mueller [MVP] Guest

    Re: LastLogonTimeStamp


    "Lamborghini" <Lamborghini@discussions.microsoft.com> wrote in message
    news:ABC9C792-41B4-4D38-9342-28EBCCA9F195@microsoft.com...
    > Hi,
    > I am trying to get rid of the 'stale accounts' in our Active Directory. I
    > read about the LastLogonTimeStamp from The Scripter Guy or Scripting
    > Center
    > at
    > http://www.microsoft.com/technet/scr...lastlogon.mspx
    >
    > I ran the script that came from this article. It returned an error that
    > seems to indicate that the attribute is not set or null. The error
    > description is "The directory property cannot be found in the cache."
    >
    > Our AD was first created in Windows 2000, and then promoted to Win2k3. How
    > can I see the raw data about this attribute?
    > If it is not set how can I start capturing this data through this
    > attribute?
    >
    > The script is as follows:
    >
    > Set objUser = GetObject("LDAP://CN=User Name,OU= Team 1,OU=Team
    > 2,DC=xxx,DC=yyy,DC=zzzz")
    > Set objLastLogon = objUser.Get("lastLogonTimestamp")
    >
    > intLastLogonTime = objLastLogon.HighPart * (2^32) + objLastLogon.LowPart
    > intLastLogonTime = intLastLogonTime / (60 * 10000000)
    > intLastLogonTime = intLastLogonTime / 1440
    >
    > Wscript.Echo "Last logon time: " & intLastLogonTime + #1/1/1601#
    >


    You can use ADSI Edit to view the actual value, but it will be huge number
    (or missing). The domain must be at W2k3 functional level for this attribute
    to be available.

    --
    Richard Mueller
    Microsoft MVP Scripting and ADSI
    Hilltop Lab - http://www.rlmueller.net
    --



  3. #3
    Join Date
    Nov 2008
    Posts
    4

    Re: LastLogonTimeStamp

    I have a large number of computer accounts that have NULL in the lastlogon attribute. The domain was originally Win 2000 and was upgraded to Win 2003. Are these older computers null because they have not logged on since the domain was upgraded?

  4. #4
    Richard Mueller [MVP] Guest

    Re: LastLogonTimeStamp


    "Bluenoser" <Bluenoser.3jht7d@DoNotSpam.com> wrote in message
    news:Bluenoser.3jht7d@DoNotSpam.com...
    >
    > I have a large number of computer accounts that have NULL in the
    > lastlogon attribute. The domain was originally Win 2000 and was
    > upgraded to Win 2003. Are these older computers null because they have
    > not logged on since the domain was upgraded?
    >


    The lastLogon attribute is not replicated, even if your domain is at W2k3
    functional level. The lastLogonTimeStamp attribute is replicated. By default
    computer account passwords are reset every 30 days. It may take that long
    before the lastLogonTimeStamp attribute is populated. The lastLogon
    attribute is only populated on the DC that authenticates the account. After
    30 days if lastLogonTimeStamp is still not populated, either the computer is
    not attached to the domain or the DC's are not replicating.

    --
    Richard Mueller
    MVP Directory Services
    Hilltop Lab - http://www.rlmueller.net
    --



  5. #5
    Join Date
    Nov 2008
    Posts
    4

    Re: LastLogonTimeStamp

    Thanks very much for the response.

    If I use ADSI to query the AD I don't think I have any way of knowing which DC returned the response. I have been using lastlogin which you say is not replicated. I checked lastlogontimestamp and all my computers are NULL, whereas a lot have a date in lastlogon.

    It also looks like from your response that the lastLogonTimeStamp is only reliable for periods greater than 30 days. Is it a best practice to never assume a computer is inactive if that date is less than 30 days?

    Thanks,
    Brent
    Last edited by Bluenoser; 26-11-2008 at 11:14 PM.

  6. #6
    Join Date
    Nov 2008
    Posts
    4

    Re: LastLogonTimeStamp

    I think I understand the issue better now. lastlogon does not replicate. lastlogontimestamp is null because our AD is not a true native win2003 version yet.

    Now my question is how do I direct an ADSI query to force a specific DC to respond so I can check the non-replicated attribute?

  7. #7
    Richard Mueller [MVP] Guest

    Re: LastLogonTimeStamp

    First, the lastLogonTimeStamp attribute is only updated during
    authentication if the old value is more than 14 days (by default) in the
    past. It's purpose is to find old unused accounts. The value is only
    accurate within 14 days.

    I have an example VBScript program that retrieves the lastLogon attribute
    for all users in the domain linked here:

    http://www.rlmueller.net/Last%20Logon.htm

    This program uses ADO to query AD for the attribute values. As demonstrated
    in this program you can specify which specific DC is queried by including
    the DNS name of the DC in the binding string (or in this case, the base of
    the ADO query). Ordinarily this is not wise, as you usually don't care which
    DC responds, but this becomes necessary if the attribute is not replicated.
    For example, in VBScript to bind to a user object you might use a binding
    string similar to:

    Set objUser = GetObject("LDAP://cn=Jim Smith,ou=West,dc=MyDomain,dc=com")

    To bind to the copy of that object on a specific DC called MyServer you
    could use:

    Set objUser = GetObject("LDAP://MyServer.MyDomain.com/cn=Jim
    Smith,ou=West,dc=MyDomain,dc=com")

    The program I linked above retrieves the names of all DC's in the domain
    from the Configuration container, then queries each DC for the lastLogon
    attribute of all users. A dictionary object keeps track of the largest
    (latest) value for each user.

    --
    Richard Mueller
    MVP Directory Services
    Hilltop Lab - http://www.rlmueller.net
    --

    "Bluenoser" <Bluenoser.3ji1jd@DoNotSpam.com> wrote in message
    news:Bluenoser.3ji1jd@DoNotSpam.com...
    >
    > I think I understand the issue better now. lastlogon does not
    > replicate. lastlogontimestamp is null because our AD is not a true
    > native win2003 version yet.
    >
    > Now my question is how do I direct an ADSI query to force a specific DC
    > to respond so I can check the non-replicated attribute?
    >
    >
    > --
    > Bluenoser
    > ------------------------------------------------------------------------
    > Bluenoser's Profile: http://forums.techarena.in/members/bluenoser.htm
    > View this thread: http://forums.techarena.in/server-scripting/704739.htm
    >
    > http://forums.techarena.in
    >




  8. #8
    Join Date
    Nov 2008
    Posts
    4

    Re: LastLogonTimeStamp

    Thank you very much for taking the time to look at this. I have it working great now thanks to your help.

Similar Threads

  1. Converting LastLogonTimestamp to a readable format
    By Damien25 in forum Active Directory
    Replies: 4
    Last Post: 12-08-2008, 04:04 AM
  2. Excel Formula to convert lastlogontimestamp to date
    By Allanoo in forum Active Directory
    Replies: 0
    Last Post: 30-11-2006, 09:18 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •