lastLogon isn't replicated.
lastLogonTimeStamp is replicated but requires OEM W2K3 and
requires your domain to be in the right mode so that it knows all DCs are at
2003.
SP1 fixes one or more holes in what updates
lastLogonTimeStamp such as simple binds, etc.
Keep in mind that by default lastLogonTimeStamp will be off
by about 7 days as it doesn't always update. You can change how often it updates
by modifying the msDS-LogonTimeSyncInterval attribute on the NC Head of the
domain.
OldCMp will handle old users, in W2K and K3 domains that
aren't in functional mode it will use pwdLastSet. In domain functional K3
domains you can use the -llts switch to use lastLogonTimeStamp. Also it has
multiple safeties built in that will only disable/move accounts unless they were
previously disabled. Also Robbie Allen wrote up a script to wrap oldcmp to run
automatically via the scheduler in one of the Windows IT Pro mags I believe (or
it might have been under the previous name).
Overall, 4 weeks is a low value. I would recommend shooting
more for 8-10 or more weeks. But as long as you are simply disabling and have
the support staff to investigate and reenable if someone claims a disabled ID is
needed, go for it.
joe
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sem 3
Sent: Friday, November 18, 2005 8:16 AM
To: [email protected]
Subject: Re: [ActiveDir] Disable inactive accounts
Also don't forget that the lastlogon flag is not replicated in pre SP1 domain controllers.
I had the same task and wrote a bit of _vbscript_ to query all dc's in each domain for the "real" last logon date then I looked up the exchange last logon date and the ad creation date compared the lot and disabled any account that haven't logged in.
Don't forget to exclude the service accounts and such. Also remember that the last logon only refuses to "interactive logons".
Anyway my £0.02 worth.
