I have found the following article provides useful
info on this subject: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/54094485-71f6-4be8-8ebf-faa45bc5db4c.mspx
neil
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: 18 November 2005 14:23
To: [email protected]
Subject: RE: [ActiveDir] Disable inactive accounts
lastLogon isn't replicated.
lastLogonTimeStamp is replicated but requires OEM W2K3 and
requires your domain to be in the right mode so that it knows all DCs are at
2003.
SP1 fixes one or more holes in what updates
lastLogonTimeStamp such as simple binds, etc.
Keep in mind that by default lastLogonTimeStamp will be off
by about 7 days as it doesn't always update. You can change how often it updates
by modifying the msDS-LogonTimeSyncInterval attribute on the NC Head of the
domain.
OldCMp will handle old users, in W2K and K3 domains that
aren't in functional mode it will use pwdLastSet. In domain functional K3
domains you can use the -llts switch to use lastLogonTimeStamp. Also it has
multiple safeties built in that will only disable/move accounts unless they were
previously disabled. Also Robbie Allen wrote up a script to wrap oldcmp to run
automatically via the scheduler in one of the Windows IT Pro mags I believe (or
it might have been under the previous name).
Overall, 4 weeks is a low value. I would recommend shooting
more for 8-10 or more weeks. But as long as you are simply disabling and have
the support staff to investigate and reenable if someone claims a disabled ID is
needed, go for it.
joe
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sem 3
Sent: Friday, November 18, 2005 8:16 AM
To: [email protected]
Subject: Re: [ActiveDir] Disable inactive accounts
Also don't forget that the lastlogon flag is not replicated in pre SP1 domain controllers.
I had the same task and wrote a bit of _vbscript_ to query all dc's in each domain for the "real" last logon date then I looked up the exchange last logon date and the ad creation date compared the lot and disabled any account that haven't logged in.
Don't forget to exclude the service accounts and such. Also remember that the last logon only refuses to "interactive logons".
Anyway my £0.02 worth.
PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised and
regulated by the Financial Services Authority. Registered in England
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies.
