One of the things mentioned in this thread was that lastlogon doesn't get updated in all cases even if the user-ojbect is used for authentication.
I'm very interested in knowing under what circumstances this can occur and why lastlogon wouldn't update when a user authenticates. From some off-line conversations, one example might be that when they use Outlook with prompt for credentials option. I would suspect that if a user-object that lives in AD authenticates from a NT 4 domain that this might be possible as well. I'm also interested in what would be a true indicator of the credentials being used. My expectation is that any time a credential is used, lastlogon should get updated and that lastlogonTimeStamp would get updated every 7 days and replicated out. I would appreciate hearing the details if possible. Anyone? Al -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DNA) Sent: Wednesday, February 23, 2005 7:45 AM To: [email protected] Subject: RE: [ActiveDir] Disabling Inactive Users James, I would like to just expand a little on what Gil said about Javelina's product. http://www.Javelinasoftware.com <http://www.javelinasoftware.com/> AD Toolkit is the Hyena of reporting / bulk AD Administration tools. It is extremely useful and has the ability to schedule the execution of reports and bulk administration. It can also be customized relatively quickly and distributed to data administrators so they can only do certain AD functions and are limited to what they can modify on AD objects. One report that comes canned with the tool is a report that identifies accounts based on last login date. With some work, I think you could automate a process that would report on this, and then you could us the report to bulk deactivate accounts and move them. I encourage everyone to evaluate the tool and make their own conclusions, but it is extremely powerful and useful. Todd Myrick MVP ________________________________ From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 22, 2005 4:39 PM To: [email protected] Subject: RE: [ActiveDir] Disabling Inactive Users AFAIK there's no GPO setting to do this. Most people run a script periodically or use a 3rd part tool like Javelina. -g ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rogers, James Sent: Tuesday, February 22, 2005 1:56 PM To: [email protected] Subject: [ActiveDir] Disabling Inactive Users Is there a GPO setting (or some other path) to disable inactive users after a specified period of time? In other words, I'd like to automatically disable Joe User if he has not logged on in more than 90 days. Thanks, James R. Rogers List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
