>>> Little insight regarding what we do >>> We run a weekly process examining pwdLastSet (which is GC enabled) information. If the computer hasn't updated its password in >=xx days, the system is permanently deleted. In addition, we are modifying our process to embrace the many Windows Server 2003 enhancements like the one mentioned below.
Our logic behind driving this process -- if systems are offline for a prolonged period of time, they are more than likely a liability for various reasons. BTW a tip for a sunny Friday morning! Ditch the Windows 2000 version of LDP. Instead use the Windows Server 2003 version of LDP. It makes the pwdLastSet value human readable, for example, pwdLastSet: 3/12/2003 19:58:37 Pacific Standard Time Pacific Daylight Time. This has saved me significant research time during customer escalations, etc. Good day, Alan -----Original Message----- From: Tony Murray [mailto:[EMAIL PROTECTED] Sent: Thursday, March 27, 2003 11:57 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Last Logon Details Rick That's a tricky one. There are two attributes (pwdLastSet and lastLogon) that could help you. The unfortunate thing is that these attributes are not replicated between DCs. This means that in order to get up-to-date information you need to query every DC in the domain. This may be ok for small environments, but is impractical for organisations with larger infrastructures. Things improve with Windows Server 2003 AD with the introduction of the lastLogonTimestamp attribute which *is* replicated and gives an approximate time of the last logon. It's approximate because it is only updated at 1 week intervals (to cut down on replication traffic). This feature requires the Windows Server 2003 domain functional level. Some further info here. http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodt echnol/windowsserver2003/proddocs/server/dsadmin_concepts_accounts.asp http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adschem a/ad/win2k3only_a_lastlogontimestamp.asp Tony -----Original Message----- From: Jones, Rick J.(Desktop Engineering) [mailto:[EMAIL PROTECTED] Sent: Freitag, 28. M�rz 2003 00:18 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Last Logon Details Hi; I am trying to retrieve the last logon account information for a specific computer account from Active Directory. Does anyone have a script to do this? Or... If you have another way to determine when the system last logged onto the network. This is so we can verify that the account is an active entry. Rick J. Jones List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
