I get all that, but I'm trying to figure out if I might need to make a cron job to have something happen to keep it fresh. I worry that if we have a linux machine on AD and in SCCM and it patches on a maintenance window, there may be a length of time that no actual AD user logs into it. I don't want them to age out of SCCM. At the same time, I don't want to turn off that feature in discovery either. So I was trying to find something I could do on the linux side to poke that attribute...
From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On Behalf Of christopher.catl...@us.sogeti.com Sent: Friday, October 9, 2015 3:20 PM To: ms...@lists.myitforum.com Subject: [mssms] RE: computer account lastlogontimstamp The lastLogontimeStamp attribute is not updated every time a user or computer logs on to the domain. The decision to update the value is based on the current date minus the value of the (ms-DS-Logon-Time-Sync-Interval attribute minus a random percentage of 5). If the result is equal to or greater than lastLogontimeStamp the attribute is updated. There are no special considerations for replication of lastLogontimeStamp. If the attribute is updated it is replicated like any other attribute update. ________________________________ From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> [listsadmin@lists.myitforum.com] on behalf of Krueger, Jeff [jkrue...@hfhs.org] Sent: Friday, October 09, 2015 4:06 PM To: ms...@lists.myitforum.com<mailto:ms...@lists.myitforum.com> Subject: [mssms] RE: computer account lastlogontimstamp Don't'have any specific experience with linux machines bound to AD, but the last LastLogonTimestamp is updated throughout the AD hierarchy for machines on a random interval that is between 9-14 day (if I remember correctly) by default. When a machine logs on to AD there is a current time on the DC that machine authenticated with but that doesn't get synced each time a machine logs on. So... if you can look for the DC that machine is logging on to and see if the date/time is current, then you can know that the LastLogonTimeStamp attributed will be updated some time within 9-14 days after the current value in the attribute. From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> [mailto:listsadmin@lists.myitforum.com] On Behalf Of Mote, Todd Sent: Friday, October 9, 2015 2:47 PM To: ms...@lists.myitforum.com<mailto:ms...@lists.myitforum.com> Subject: [mssms] computer account lastlogontimstamp Anybody know what will trigger a change in a computer account's last logon timestamp? I'm trying to figure out how to keep my linux machines joined to AD via SSSD with the SCCM client on them, discovered. They don't change their account password like windows machines do, so I'm trying to figure out how to make sure last logon timestamp works from linux. So live machines don't get culled by discovery. Anybody know? Todd Todd Mote, MCP, MCSA+Messaging, MCSE | mo...@austin.utexas.edu<mailto:mo...@austin.utexas.edu> Enterprise Systems Management | Information Technology Services | The University of Texas at Austin ________________________________ CONFIDENTIALITY NOTICE: This email contains information from the sender that may be CONFIDENTIAL, LEGALLY PRIVILEGED, PROPRIETARY or otherwise protected from disclosure. This email is intended for use only by the person or entity to whom it is addressed. If you are not the intended recipient, any use, disclosure, copying, distribution, printing, or any action taken in reliance on the contents of this email, is strictly prohibited. If you received this email in error, please contact the sending party by reply email, delete the email from your computer system and shred any paper copies. Note to Patients: There are a number of risks you should consider before using e-mail to communicate with us. See our Privacy & Security page on www.henryford.com<http://www.henryford.com> for more detailed information as well as information concerning MyChart, our new patient portal. If you do not believe that our policy gives you the privacy and security protection you need, do not send e-mail or Internet communications to us.
