RE: [ActiveDir] list lastlogontime for every user script
n/p -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Monday, October 30, 2006 5:41 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] list lastlogontime for every user script Thanks for the insight. BTW, DHTML wont be missed J :m:dsm:cci:mvp| marcusoh.blogspot.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Saturday, October 28, 2006 12:37 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] list lastlogontime for every user script Every time an auth occurs that updates the lastLogon (not logonTime like I miswrote last time) attribute a calculation is done based on the update frequency value. This frequency can be modified by updating the msDS-LogonTimeSyncInterval attribute on the domain NC head (for AD). If the update frequency isgreater than the swing value (5 days) then the update frequency value is modified by subtracting a random number in the range of 0-5. That resulting value (by default 9-14 days) is then compared to the length of time it has been since the last update. If the time has exceeded that value, the stamp is updated. The minimum frequency value for AD is 1 day, the max is in the hundreds of years so not something you will likely notice a problem with. ADAM allows you to specify 0 through the ADAMLastLogonTimestampWindow entry of the msDS-Other-Settings attribute of the nTDSService object for the instance which means update the attribute for every logon. This isn't an issue with ADAM as it is with AD since with AD your machine can be doing auths on your behalf all through the day and causing a lot of replication. ADAM auth is all very directed and specific. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Friday, October 27, 2006 9:44 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] list lastlogontime for every user script by the short description in msdn, if sounds as if theres a comparison done when the user logs on. If its been at least a week since the value was updated, its subject to being updated again? At that point, the random calculation? :m:dsm:cci:mvp| marcusoh.blogspot.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Friday, October 27, 2006 12:40 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] list lastlogontime for every user script It isn't, it is randomly calculated every time logonTime is updated. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Thursday, October 26, 2006 9:49 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] list lastlogontime for every user script How is this 9-14 day value tracked for each user object, by the way? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, October 26, 2006 5:34 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] list lastlogontime for every user script oldcmp Keep in mind that by default, lastLogonTimeStamp is not updated every day, it will be updated about every 9-14 days (14 days with a random swing of minus 0-5 days). You can output to csv or html, whatever is more convenient for you. Alternately if you just want to query the value directly, you can use adfindto generate the output. However, oldcmp tends to be easier for most folks. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon LinanSent: Thursday, October 26, 2006 4:59 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] list lastlogontime for every user script Hi, I am trying to do an script or something that will list lastlogontime for all users so I can receive an email when someone has not use the account for more than 30 days. I have seen a couple of examples of half built scripts that don't work, I get lost when they start dealing with the converting the number to a date... Does anyone has a script will do some similar? does Joe ware has something similar? Thanks Ramon
RE: [ActiveDir] list lastlogontime for every user script
Thanks for the insight. BTW, DHTML wont be missed J :m:dsm:cci:mvp| marcusoh.blogspot.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Saturday, October 28, 2006 12:37 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] list lastlogontime for every user script Every time an auth occurs that updates the lastLogon (not logonTime like I miswrote last time) attribute a calculation is done based on the update frequency value. This frequency can be modified by updating the msDS-LogonTimeSyncInterval attribute on the domain NC head (for AD). If the update frequency isgreater than the swing value (5 days) then the update frequency value is modified by subtracting a random number in the range of 0-5. That resulting value (by default 9-14 days) is then compared to the length of time it has been since the last update. If the time has exceeded that value, the stamp is updated. The minimum frequency value for AD is 1 day, the max is in the hundreds of years so not something you will likely notice a problem with. ADAM allows you to specify 0 through the ADAMLastLogonTimestampWindow entry of the msDS-Other-Settings attribute of the nTDSService object for the instance which means update the attribute for every logon. This isn't an issue with ADAM as it is with AD since with AD your machine can be doing auths on your behalf all through the day and causing a lot of replication. ADAM auth is all very directed and specific. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, October 27, 2006 9:44 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] list lastlogontime for every user script by the short description in msdn, if sounds as if theres a comparison done when the user logs on. If its been at least a week since the value was updated, its subject to being updated again? At that point, the random calculation? :m:dsm:cci:mvp| marcusoh.blogspot.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, October 27, 2006 12:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] list lastlogontime for every user script It isn't, it is randomly calculated every time logonTime is updated. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, October 26, 2006 9:49 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] list lastlogontime for every user script How is this 9-14 day value tracked for each user object, by the way? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, October 26, 2006 5:34 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] list lastlogontime for every user script oldcmp Keep in mind that by default, lastLogonTimeStamp is not updated every day, it will be updated about every 9-14 days (14 days with a random swing of minus 0-5 days). You can output to csv or html, whatever is more convenient for you. Alternately if you just want to query the value directly, you can use adfindto generate the output. However, oldcmp tends to be easier for most folks. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon Linan Sent: Thursday, October 26, 2006 4:59 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] list lastlogontime for every user script Hi, I am trying to do an script or something that will list lastlogontime for all users so I can receive an email when someone has not use the account for more than 30 days. I have seen a couple of examples of half built scripts that don't work, I get lost when they start dealing with the converting the number to a date... Does anyone has a script will do some similar? does Joe ware has something similar? Thanks Ramon
Re: [ActiveDir] list lastlogontime for every user script
I could very easily do without the dhtml and be quite happy about it. As a general rule, I'm doing all I can to keep up with the cli options, and don't really like to be distracted by that kind stuff. :) On 10/28/06, joe [EMAIL PROTECTED] wrote: Those zero's mean the value isn't set. There are several requests for change for oldcmp asking for an -onlyenabled switch. It is on the list and will go in when I work on it next. In the meanwhile you can use -bit -af (!(useraccountcontrol:AND:=2)) Also if you want to filter out users/computers that don't have a value set for the pwdLastSet or lastLogonTimeStamp, whichever is currently being used, you can use the -realage switch. I really need to open up that project and poke around, it is getting long in the tooth, last update was December 2004, hard tobelieve it has been out there for so long running so well for so many people. As a side question, would anyone be terribly disappointed if the DHTML option went away? Just trying to get a feel for it, I don't get much email on it so am wondering if it is being used all that much. It seems in larger output files, IE just gets torn up trying to display those files. Personally I think it is fun, but if people aren't using it, it is a lot of code complexityfor naught. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Ramon LinanSent: Friday, October 27, 2006 2:52 PM To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] list lastlogontime for every user script Thanks Matt for the script that you sent and thanks Joe for your tool. I used Joe's tool (no sexual connotation here) because it was easy and fast. I have just one question, I am getting some users with lastlogontimespamp /00/00-00:00:00 most of them (or all of them) are system users, like the systemmailbox. I bet this is because they never login into the system. This is the command that I used oldcmp -report -age 90 -users -llts is there a way of excluding disabled users from the results? Thanks From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of joeSent: Friday, October 27, 2006 12:40 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] list lastlogontime for every user script It isn't, it is randomly calculated every time logonTime is updated. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of [EMAIL PROTECTED]Sent: Thursday, October 26, 2006 9:49 PM To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] list lastlogontime for every user script How is this 9-14 day value tracked for each user object, by the way? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of joeSent: Thursday, October 26, 2006 5:34 PM To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] list lastlogontime for every user script oldcmp Keep in mind that by default, lastLogonTimeStamp is not updated every day, it will be updated about every 9-14 days (14 days with a random swing of minus 0-5 days). You can output to csv or html, whatever is more convenient for you. Alternately if you just want to query the value directly, you can use adfindto generate the output. However, oldcmp tends to be easier for most folks. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Ramon LinanSent: Thursday, October 26, 2006 4:59 PMTo: ActiveDir@mail.activedir.org Subject: [ActiveDir] list lastlogontime for every user script Hi, I am trying to do an script or something that will list lastlogontime for all users so I can receive an email when someone has not use the account for more than 30 days. I have seen a couple of examples of half built scripts that don't work, I get lost when they start dealing with the converting the number to a date... Does anyone has a script will do some similar? does Joe ware has something similar? Thanks Ramon
RE: [ActiveDir] list lastlogontime for every user script
by the short description in msdn, if sounds as if theres a comparison done when the user logs on. If its been at least a week since the value was updated, its subject to being updated again? At that point, the random calculation? :m:dsm:cci:mvp| marcusoh.blogspot.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, October 27, 2006 12:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] list lastlogontime for every user script It isn't, it is randomly calculated every time logonTime is updated. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, October 26, 2006 9:49 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] list lastlogontime for every user script How is this 9-14 day value tracked for each user object, by the way? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, October 26, 2006 5:34 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] list lastlogontime for every user script oldcmp Keep in mind that by default, lastLogonTimeStamp is not updated every day, it will be updated about every 9-14 days (14 days with a random swing of minus 0-5 days). You can output to csv or html, whatever is more convenient for you. Alternately if you just want to query the value directly, you can use adfindto generate the output. However, oldcmp tends to be easier for most folks. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon Linan Sent: Thursday, October 26, 2006 4:59 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] list lastlogontime for every user script Hi, I am trying to do an script or something that will list lastlogontime for all users so I can receive an email when someone has not use the account for more than 30 days. I have seen a couple of examples of half built scripts that don't work, I get lost when they start dealing with the converting the number to a date... Does anyone has a script will do some similar? does Joe ware has something similar? Thanks Ramon
RE: [ActiveDir] list lastlogontime for every user script
Thanks Matt for the script that you sent and thanks Joe for your tool. I used Joe's tool (no sexual connotation here) because it was easy and fast. I have just one question, I am getting some users with lastlogontimespamp /00/00-00:00:00 most of them (or all of them) are system users, like the systemmailbox. I bet this is because they never login into the system. This is the command that I used oldcmp -report -age 90 -users -llts is there a way of excluding disabled users from the results? Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Friday, October 27, 2006 12:40 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] list lastlogontime for every user script It isn't, it is randomly calculated every time logonTime is updated. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Thursday, October 26, 2006 9:49 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] list lastlogontime for every user script How is this 9-14 day value tracked for each user object, by the way? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, October 26, 2006 5:34 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] list lastlogontime for every user script oldcmp Keep in mind that by default, lastLogonTimeStamp is not updated every day, it will be updated about every 9-14 days (14 days with a random swing of minus 0-5 days). You can output to csv or html, whatever is more convenient for you. Alternately if you just want to query the value directly, you can use adfindto generate the output. However, oldcmp tends to be easier for most folks. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon LinanSent: Thursday, October 26, 2006 4:59 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] list lastlogontime for every user script Hi, I am trying to do an script or something that will list lastlogontime for all users so I can receive an email when someone has not use the account for more than 30 days. I have seen a couple of examples of half built scripts that don't work, I get lost when they start dealing with the converting the number to a date... Does anyone has a script will do some similar? does Joe ware has something similar? Thanks Ramon
RE: [ActiveDir] list lastlogontime for every user script
I used Joe's tool (no sexual connotation here) because it was easy and fast never mind half of the world does it! ;-) ROTFMAO Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Ramon Linan Sent: Fri 2006-10-27 20:51 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] list lastlogontime for every user script Thanks Matt for the script that you sent and thanks Joe for your tool. I used Joe's tool (no sexual connotation here) because it was easy and fast. I have just one question, I am getting some users with lastlogontimespamp /00/00-00:00:00 most of them (or all of them) are system users, like the systemmailbox. I bet this is because they never login into the system. This is the command that I used oldcmp -report -age 90 -users -llts is there a way of excluding disabled users from the results? Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, October 27, 2006 12:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] list lastlogontime for every user script It isn't, it is randomly calculated every time logonTime is updated. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, October 26, 2006 9:49 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] list lastlogontime for every user script How is this 9-14 day value tracked for each user object, by the way? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, October 26, 2006 5:34 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] list lastlogontime for every user script oldcmp Keep in mind that by default, lastLogonTimeStamp is not updated every day, it will be updated about every 9-14 days (14 days with a random swing of minus 0-5 days). You can output to csv or html, whatever is more convenient for you. Alternately if you just want to query the value directly, you can use adfind to generate the output. However, oldcmp tends to be easier for most folks. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon Linan Sent: Thursday, October 26, 2006 4:59 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] list lastlogontime for every user script Hi, I am trying to do an script or something that will list lastlogontime for all users so I can receive an email when someone has not use the account for more than 30 days. I have seen a couple of examples of half built scripts that don't work, I get lost when they start dealing with the converting the number to a date... Does anyone has a script will do some similar? does Joe ware has something similar? Thanks Ramon This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. winmail.dat
Re: [ActiveDir] list lastlogontime for every user script
I believe at last count it was way more than half the world was using joe's tool. Likely because it's fast, free, easy to use and the best around. (-; Well, half the world I tend to live in anyway. On 10/27/06, Almeida Pinto, Jorge de [EMAIL PROTECTED] wrote: I used Joe's tool (no sexual connotation here) because it was easy and fastnever mind half of the world does it! ;-) ROTFMAOMet vriendelijke groeten / Kind regards,Ing. Jorge de Almeida PintoSenior Infrastructure ConsultantMVP Windows Server - Directory ServicesLogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777( Mobile : +31-(0)6-26.26.62.80* E-mail : see sender addressFrom: [EMAIL PROTECTED] on behalf of Ramon LinanSent: Fri 2006-10-27 20:51To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] list lastlogontime for every user script Thanks Matt for the script that you sent and thanks Joe for your tool.I used Joe's tool (no sexual connotation here) because it was easy and fast.I have just one question, I am getting some users with lastlogontimespamp /00/00-00:00:00 most of them (or all of them) are system users, like the systemmailbox. I bet this is because they never login into the system. This is the command that I used oldcmp -report -age 90 -users -lltsis there a way of excluding disabled users from the results?ThanksFrom: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of joeSent: Friday, October 27, 2006 12:40 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] list lastlogontime for every user scriptIt isn't, it is randomly calculated every time logonTime is updated.--O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htmFrom: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of [EMAIL PROTECTED]Sent: Thursday, October 26, 2006 9:49 PM To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] list lastlogontime for every user scriptHow is this 9-14 day value tracked for each user object, by the way? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of joe Sent: Thursday, October 26, 2006 5:34 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] list lastlogontime for every user scriptoldcmp Keep in mind that by default, lastLogonTimeStamp is not updated every day, it will be updated about every 9-14 days (14 days with a random swing of minus 0-5 days).You can output to csv or html, whatever is more convenient for you. Alternately if you just want to query the value directly, you can use adfind to generate the output.However, oldcmp tends to be easier for most folks.joe-- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htmFrom: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Ramon LinanSent: Thursday, October 26, 2006 4:59 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] list lastlogontime for every user scriptHi,I am trying to do an script or something that will list lastlogontime for all users so I can receive an email when someone has not use the account for more than 30 days. I have seen a couple of examples of half built scripts that don't work, I get lost when they start dealing with the converting the number to a date...Does anyone has a script will do some similar? does Joe ware has something similar? ThanksRamonThis e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
RE: [ActiveDir] list lastlogontime for every user script
Every time an auth occurs that updates the lastLogon (not logonTime like I miswrote last time) attribute a calculation is done based on the update frequency value. This frequency can be modified by updating the msDS-LogonTimeSyncInterval attribute on the domain NC head (for AD). If the update frequency isgreater than the swing value (5 days) then the update frequency value is modified by subtracting a random number in the range of 0-5. That resulting value (by default 9-14 days) is then compared to the length of time it has been since the last update. If the time has exceeded that value, the stamp is updated. The minimum frequency value for AD is 1 day, the max is in the hundreds of years so not something you will likely notice a problem with. ADAM allows you to specify 0 through the ADAMLastLogonTimestampWindow entry of the msDS-Other-Settings attribute of the nTDSService object for the instance which means update the attribute for every logon. This isn't an issue with ADAM as it is with AD since with AD your machine can be doing auths on your behalf all through the day and causing a lot of replication. ADAM auth is all very directed and specific. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Friday, October 27, 2006 9:44 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] list lastlogontime for every user script by the short description in msdn, if sounds as if theres a comparison done when the user logs on. If its been at least a week since the value was updated, its subject to being updated again? At that point, the random calculation? :m:dsm:cci:mvp| marcusoh.blogspot.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Friday, October 27, 2006 12:40 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] list lastlogontime for every user script It isn't, it is randomly calculated every time logonTime is updated. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Thursday, October 26, 2006 9:49 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] list lastlogontime for every user script How is this 9-14 day value tracked for each user object, by the way? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, October 26, 2006 5:34 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] list lastlogontime for every user script oldcmp Keep in mind that by default, lastLogonTimeStamp is not updated every day, it will be updated about every 9-14 days (14 days with a random swing of minus 0-5 days). You can output to csv or html, whatever is more convenient for you. Alternately if you just want to query the value directly, you can use adfindto generate the output. However, oldcmp tends to be easier for most folks. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon LinanSent: Thursday, October 26, 2006 4:59 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] list lastlogontime for every user script Hi, I am trying to do an script or something that will list lastlogontime for all users so I can receive an email when someone has not use the account for more than 30 days. I have seen a couple of examples of half built scripts that don't work, I get lost when they start dealing with the converting the number to a date... Does anyone has a script will do some similar? does Joe ware has something similar? Thanks Ramon
RE: [ActiveDir] list lastlogontime for every user script
First off... let's go with using the word utilityversustool ;o) Second off yeah they are pretty popular. I got a lot of pings from various MSFT and other consultant type friends who seem to run into my utilities in the wild pretty regularly. This penetration is greater in the primarily english speaking world (North America, UK, Western Europe, Australia, and militaries of those areas globally) as the utilities really better for targeted at English environments. UNICODE and other special characters (anything with umlauts, etc) are kind of a pain to deal with from the command line. Anyone who has used adfind to output something that has characters like éèà has noticed that to the command line, that ends up looking something like dn:CN=TestGroupΘΦα,OU=TestOU,DC=joe,DC=com but if that same output is redirected to a text file via standard redirection it looks like dn:CN=TestGroupéèà,OU=TestOU,DC=joe,DC=com and I can assure you adfind is doing nothing different which is the problem. I have worked through some of that with some new routines and that is the V2 versions of AdFind/AdMod I occasionally mention as it will take very radical changes to use the new strings. I have done it with some other code I have written but nothing I have released yet as I am still tinkering with it. Basically I have to try and work out where you are sending the output in order to determine how to output it. I have no clue what would happen if you tried to use adfind in an environment with true multibyte characters like say a Chinese edition. I expect it would blow up magnifiscently. I am curious if even dsquery would work in that environment. Doing this in the GUI is immensely easier which sounds odd, most people would tend to think that console apps are easier to write than GUI. I find it just the opposite, GUI is easier for most everything especially character encoding and threaded output but I find the GUI less useful than the console. And with Server Core coming...The joeware stuffwill become even more popular as my utilities are very nice console utilities AND they are all FAT-free, err I mean NET-free. ;o) Twice the power, triple the taste, tenth of the calories and actually work on Server Core... -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: Friday, October 27, 2006 10:19 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] list lastlogontime for every user script I believe at last count it was way more than half the world was using joe's tool. Likely because it's fast, free, easy to use and the best around. (-; Well, half the world I tend to live in anyway. On 10/27/06, Almeida Pinto, Jorge de [EMAIL PROTECTED] wrote: I used Joe's tool (no sexual connotation here) because it was easy and fastnever mind half of the world does it! ;-) ROTFMAOMet vriendelijke groeten / Kind regards,Ing. Jorge de Almeida PintoSenior Infrastructure ConsultantMVP Windows Server - Directory ServicesLogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777( Mobile : +31-(0)6-26.26.62.80* E-mail : see sender addressFrom: [EMAIL PROTECTED] on behalf of Ramon LinanSent: Fri 2006-10-27 20:51To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] list lastlogontime for every user script Thanks Matt for the script that you sent and thanks Joe for your tool.I used Joe's tool (no sexual connotation here) because it was easy and fast.I have just one question, I am getting some users with lastlogontimespamp /00/00-00:00:00 most of them (or all of them) are system users, like the systemmailbox. I bet this is because they never login into the system. This is the command that I used oldcmp -report -age 90 -users -lltsis there a way of excluding disabled users from the results?ThanksFrom: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of joeSent: Friday, October 27, 2006 12:40 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] list lastlogontime for every user scriptIt isn't, it is randomly calculated every time logonTime is updated.--O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htmFrom: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of [EMAIL PROTECTED]Sent: Thursday, October 26, 2006 9:49 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] list lastlogontime for every user scriptHow is this 9-14 day value tracked for each user object, by the way? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of joe Sent: Thursday, October 26, 2006 5:34 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] list lastlogontime for every user scriptoldcmp Keep in mind that by default
RE: [ActiveDir] list lastlogontime for every user script
Those zero's mean the value isn't set. There are several requests for change for oldcmp asking for an -onlyenabled switch. It is on the list and will go in when I work on it next. In the meanwhile you can use -bit -af "(!(useraccountcontrol:AND:=2))" Also if you want to filter out users/computers that don't have a value set for the pwdLastSet or lastLogonTimeStamp, whichever is currently being used, you can use the -realage switch. I really need to open up that project and poke around, it is getting long in the tooth, last update was December 2004, hard tobelieve it has been out there for so long running so well for so many people. As a side question, would anyone be terribly disappointed if the DHTML option went away? Just trying to get a feel for it, I don't get much email on it so am wondering if it is being used all that much. It seems in larger output files, IE just gets torn up trying to display those files. Personally I think it is fun, but if people aren't using it, it is a lot of code complexityfor naught. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon LinanSent: Friday, October 27, 2006 2:52 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] list lastlogontime for every user script Thanks Matt for the script that you sent and thanks Joe for your tool. I used Joe's tool (no sexual connotation here) because it was easy and fast. I have just one question, I am getting some users with lastlogontimespamp /00/00-00:00:00 most of them (or all of them) are system users, like the systemmailbox. I bet this is because they never login into the system. This is the command that I used oldcmp -report -age 90 -users -llts is there a way of excluding disabled users from the results? Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Friday, October 27, 2006 12:40 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] list lastlogontime for every user script It isn't, it is randomly calculated every time logonTime is updated. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Thursday, October 26, 2006 9:49 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] list lastlogontime for every user script How is this 9-14 day value tracked for each user object, by the way? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, October 26, 2006 5:34 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] list lastlogontime for every user script oldcmp Keep in mind that by default, lastLogonTimeStamp is not updated every day, it will be updated about every 9-14 days (14 days with a random swing of minus 0-5 days). You can output to csv or html, whatever is more convenient for you. Alternately if you just want to query the value directly, you can use adfindto generate the output. However, oldcmp tends to be easier for most folks. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon LinanSent: Thursday, October 26, 2006 4:59 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] list lastlogontime for every user script Hi, I am trying to do an script or something that will list lastlogontime for all users so I can receive an email when someone has not use the account for more than 30 days. I have seen a couple of examples of half built scripts that don't work, I get lost when they start dealing with the converting the number to a date... Does anyone has a script will do some similar? does Joe ware has something similar? Thanks Ramon
RE: [ActiveDir] list lastlogontime for every user script
Tool.penetration Tony took a vacation and this is what this list is turning into Time to go wash my brains. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: joeSent: Fri 10/27/2006 9:50 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] list lastlogontime for every user script First off... let's go with using the word utilityversustool ;o) Second off yeah they are pretty popular. I got a lot of pings from various MSFT and other consultant type friends who seem to run into my utilities in the wild pretty regularly. This penetration is greater in the primarily english speaking world (North America, UK, Western Europe, Australia, and militaries of those areas globally) as the utilities really better for targeted at English environments. UNICODE and other special characters (anything with umlauts, etc) are kind of a pain to deal with from the command line. Anyone who has used adfind to output something that has characters like éèà has noticed that to the command line, that ends up looking something like dn:CN=TestGroupΘΦα,OU=TestOU,DC=joe,DC=com but if that same output is redirected to a text file via standard redirection it looks like dn:CN=TestGroupéèà,OU=TestOU,DC=joe,DC=com and I can assure you adfind is doing nothing different which is the problem. I have worked through some of that with some new routines and that is the V2 versions of AdFind/AdMod I occasionally mention as it will take very radical changes to use the new strings. I have done it with some other code I have written but nothing I have released yet as I am still tinkering with it. Basically I have to try and work out where you are sending the output in order to determine how to output it. I have no clue what would happen if you tried to use adfind in an environment with true multibyte characters like say a Chinese edition. I expect it would blow up magnifiscently. I am curious if even dsquery would work in that environment. Doing this in the GUI is immensely easier which sounds odd, most people would tend to think that console apps are easier to write than GUI. I find it just the opposite, GUI is easier for most everything especially character encoding and threaded output but I find the GUI less useful than the console. And with Server Core coming...The joeware stuffwill become even more popular as my utilities are very nice console utilities AND they are all FAT-free, err I mean NET-free. ;o) Twice the power, triple the taste, tenth of the calories and actually work on Server Core... -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: Friday, October 27, 2006 10:19 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] list lastlogontime for every user script I believe at last count it was way more than half the world was using joe's tool. Likely because it's fast, free, easy to use and the best around. (-; Well, half the world I tend to live in anyway. On 10/27/06, Almeida Pinto, Jorge de [EMAIL PROTECTED] wrote: I used Joe's tool (no sexual connotation here) because it was easy and fastnever mind half of the world does it! ;-) ROTFMAOMet vriendelijke groeten / Kind regards,Ing. Jorge de Almeida PintoSenior Infrastructure ConsultantMVP Windows Server - Directory ServicesLogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777( Mobile : +31-(0)6-26.26.62.80* E-mail : see sender addressFrom: [EMAIL PROTECTED] on behalf of Ramon LinanSent: Fri 2006-10-27 20:51To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] list lastlogontime for every user script Thanks Matt for the script that you sent and thanks Joe for your tool.I used Joe's tool (no sexual connotation here) because it was easy and fast.I have just one question, I am getting some users with lastlogontimespamp /00/00-00:00:00 most of them (or all of them) are system users, like the systemmailbox. I bet this is because they never login into the system. This is the command that I used oldcmp -report -age 90 -users -lltsis there a way of excluding disabled users from the results?ThanksFrom: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of joeSent: Friday, October 27, 2006 12:40 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] list lastlogontime for every user scriptIt isn't, it is randomly calculated every time logonTime is updated.--O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htmFrom: mailto:[EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of [EMAIL PROTECTED]Sent: Thursday, October 26, 2006 9:49 PMTo: ActiveDir
[ActiveDir] list lastlogontime for every user script
Hi, I am trying to do an script or something that will list lastlogontime for all users so I can receive an email when someone has not use the account for more than 30 days. I have seen a couple of examples of half built scripts that don't work, I get lost when they start dealing with the converting the number to a date... Does anyone has a script will do some similar? does Joe ware has something similar? Thanks Ramon
RE: [ActiveDir] list lastlogontime for every user script
oldcmp Keep in mind that by default, lastLogonTimeStamp is not updated every day, it will be updated about every 9-14 days (14 days with a random swing of minus 0-5 days). You can output to csv or html, whatever is more convenient for you. Alternately if you just want to query the value directly, you can use adfindto generate the output. However, oldcmp tends to be easier for most folks. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon LinanSent: Thursday, October 26, 2006 4:59 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] list lastlogontime for every user script Hi, I am trying to do an script or something that will list lastlogontime for all users so I can receive an email when someone has not use the account for more than 30 days. I have seen a couple of examples of half built scripts that don't work, I get lost when they start dealing with the converting the number to a date... Does anyone has a script will do some similar? does Joe ware has something similar? Thanks Ramon
Re: [ActiveDir] list lastlogontime for every user script
Have you looked at this Perl sample from the AD Cookbook? http://techtasks.com/code/viewbookcode/1608 Another alternative is to write your script around Joe's ADFIND (or even OldCMP). ADFIND has the ability to handle the date formats in a user-friendly way. Tony -- Original Message -- From: Ramon Linan [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org Date: Thu, 26 Oct 2006 16:59:20 -0400 Hi, I am trying to do an script or something that will list lastlogontime for all users so I can receive an email when someone has not use the account for more than 30 days. I have seen a couple of examples of half built scripts that don't work, I get lost when they start dealing with the converting the number to a date... Does anyone has a script will do some similar? does Joe ware has something similar? Thanks Ramon Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
Re: [ActiveDir] list lastlogontime for every user script
I have one that I have coded and I have sent it to your email address. You can modify it easily to email you. Cheers, Matt Duguid Systems Engineer for Identity Services Department of Internal Affairs Phone: +64 4 4748028 (wellington) Mobile: +64 21 1713290 Fax: +64 4 4748894 Address: Level 4, 47 Boulcott Street, Wellington CBD E-mail: [EMAIL PROTECTED] Web: http://www.dia.govt.nz/ |-+-- | | | | | | | | | | | Ramon Linan | | | [EMAIL PROTECTED] | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 27/10/2006 09:59 a.m. | | | Please respond to | | | ActiveDir | | | | |-+-- --| | | |To: ActiveDir@mail.activedir.org | |cc: | |Subject: [ActiveDir] list lastlogontime for every user script | --| Hi, I am trying to do an script or something that will list lastlogontime for all users so I can receive an email when someone has not use the account for more than 30 days. I have seen a couple of examples of half built scripts that don't work, I get lost when they start dealing with the converting the number to a date... Does anyone has a script will do some similar? does Joe ware has something similar? Thanks Ramon List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] list lastlogontime for every user script
How is this 9-14 day value tracked for each user object, by the way? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, October 26, 2006 5:34 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] list lastlogontime for every user script oldcmp Keep in mind that by default, lastLogonTimeStamp is not updated every day, it will be updated about every 9-14 days (14 days with a random swing of minus 0-5 days). You can output to csv or html, whatever is more convenient for you. Alternately if you just want to query the value directly, you can use adfindto generate the output. However, oldcmp tends to be easier for most folks. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon Linan Sent: Thursday, October 26, 2006 4:59 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] list lastlogontime for every user script Hi, I am trying to do an script or something that will list lastlogontime for all users so I can receive an email when someone has not use the account for more than 30 days. I have seen a couple of examples of half built scripts that don't work, I get lost when they start dealing with the converting the number to a date... Does anyone has a script will do some similar? does Joe ware has something similar? Thanks Ramon
RE: [ActiveDir] list lastlogontime for every user script
It isn't, it is randomly calculated every time logonTime is updated. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Thursday, October 26, 2006 9:49 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] list lastlogontime for every user script How is this 9-14 day value tracked for each user object, by the way? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, October 26, 2006 5:34 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] list lastlogontime for every user script oldcmp Keep in mind that by default, lastLogonTimeStamp is not updated every day, it will be updated about every 9-14 days (14 days with a random swing of minus 0-5 days). You can output to csv or html, whatever is more convenient for you. Alternately if you just want to query the value directly, you can use adfindto generate the output. However, oldcmp tends to be easier for most folks. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon LinanSent: Thursday, October 26, 2006 4:59 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] list lastlogontime for every user script Hi, I am trying to do an script or something that will list lastlogontime for all users so I can receive an email when someone has not use the account for more than 30 days. I have seen a couple of examples of half built scripts that don't work, I get lost when they start dealing with the converting the number to a date... Does anyone has a script will do some similar? does Joe ware has something similar? Thanks Ramon