Re: lastLogonTimestamp not set!

"Mike" <> wrote in message
news:da43158c-2a08-47b4-b2de-...
> Hello all- I am researching finding old user accounts so they can be
> deleted. I am finding a lot of user accounts have nothing set in the
> lastLogonTimestamp. I've found several conditions that will cause
> this. Of course if the domain is not at Windows Srv 2003 Func Level,
> this will not work, but that is not the case here, we are at the
> highest func level and all DCs are 2003 SP2. Also I found an MS KB
> article that described NTLM auths that would not increment this value,
> but that was supposedly fixed in Srv 2003 SP1 (and we have SP2).
>
> What I want to ask is, does anyone know any other conditions that
> would cause this value to be blank even if the user has logged in and
> is using the account? Some things I can think of are: users who use
> OWA from a public computer, and never log into Windows with the
> account, etc.

When the functional level is first raised, user objects have this attribute
updated randomly over the next 14 days (to avoid too much replication
traffic all at once). After that, the value is updated during logon if the
old value is more than 14 days (by default) in the past. Does that account
for what you see?

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--

"Mike" <> wrote in message
news:56228061-c8ab-4850-bd8e-...
On Dec 26, 10:55 pm, "Richard Mueller [MVP]" <rlmueller-
nos...@ameritech.nospam.net> wrote:
> "Mike" <thelotu...@gmail.com> wrote in message
>
> news:da43158c-2a08-47b4-b2de-...
>
> > Hello all- I am researching finding old user accounts so they can be
> > deleted. I am finding a lot of user accounts have nothing set in the
> > lastLogonTimestamp. I've found several conditions that will cause
> > this. Of course if the domain is not at Windows Srv 2003 Func Level,
> > this will not work, but that is not the case here, we are at the
> > highest func level and all DCs are 2003 SP2. Also I found an MS KB
> > article that described NTLM auths that would not increment this value,
> > but that was supposedly fixed in Srv 2003 SP1 (and we have SP2).
>
> > What I want to ask is, does anyone know any other conditions that
> > would cause this value to be blank even if the user has logged in and
> > is using the account? Some things I can think of are: users who use
> > OWA from a public computer, and never log into Windows with the
> > account, etc.
>
> When the functional level is first raised, user objects have this
> attribute
> updated randomly over the next 14 days (to avoid too much replication
> traffic all at once). After that, the value is updated during logon if the
> old value is more than 14 days (by default) in the past. Does that account
> for what you see?
>
> --
> Richard Mueller
> MVP Directory Services
> Hilltop Lab -http://www.rlmueller.net
> --

Hi Richard- thanks for your reply. The domain has been at this
functional level for the past year at least, so I don't think the 14
day replication delay would explain this. So from what I can tell
here, if the lastLogonTimestamp is blank, then this would indicate
that these users have never logged in. This is quite possible, many of
the accounts I have spot-checked have never set their password at
first logon.

Can I ask you a separate question. I am a bit new to vbscript and am
using your script from 'http://www.rlmueller.net/Programs/
LastLogonTimeStamp.txt' and it works great, thanks. I want to add some
fields to the output so I can do some more sleuthing on these
accounts. I tried to add displayName as a test as show below, but got
the error you see at the end. Can you advise me how can I ad fields to
the resulting query so I have more information to work with? I'd like
to get a few different fields: userAccountControl, pwdLastSet,
homeMDB, and expirationTime.

Dim lngBias, k, strDN, strDisplayName, dtmDate, objDate

' Enumerate resulting recordset.
Do Until adoRecordset.EOF
' Retrieve attribute values for the user.
strDN = adoRecordset.Fields("distinguishedName").Value
strDisplayName = adoRecordset.Fields("displayName").Value

c:\LastLogonTimeStamp.vbs (80, 5) ADODB.Recordset: Item cannot be
found in the collection corresponding to the requested name or
ordinal.

-----------------------------

Add the attribute names to the comma delimited list of attributes to be
retrieved. For example:
==========
' Comma delimited list of attribute values to retrieve.
strAttributes = "distinguishedName,lastLogonTimeStamp,displayN ame"
=======
You can add all attribute LDAP names you want to retrieve. For
userAccountControl you can display the integer value, but you must test with
a bit mask to determine which bits are set, and thus which settings apply.
For example:
========
' Define bit mask for "Account Disabled".
Const ADS_UF_ACCOUNTDISABLE = &H02

lngFlag = CLng(adoRecordset.Fields("userAccountControl").Val ue)

If (lngFlag And ADS_UF_ACCOUNTDISABLE) <> 0 Then
Wscript.Echo "Account is disabled"
Else
Wscript.Echo "Account is NOT disabled"
End If
=====
You use the And operator and a bit mask to test each setting. See the link
below for more bit masks. Any non-zero result means the bit is set, a zero
result means the bit is not set. The pwdLastSet attribute is Integer8, just
like lastLogonTimeStamp, so you must use the same technique to convert the
64-bit value to a date/time in the current time zone. There is no
expirationTime attribute, but there is an accountExpires attribute, another
Integer8. This example VBScript program demonstrates how to handle Integer8
attributes and userAccountControl using functions (user defined functions
GetFlags and Integer8Date):

http://www.rlmueller.net/DocumentUsers.htm

This program might be a better starting point for what you are trying to do.

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--