Discussion in 'Scripting' started by Lamborghini, Mar 13, 2007.

  1. Lamborghini

    Lamborghini Guest

    I am trying to get rid of the 'stale accounts' in our Active Directory. I
    read about the LastLogonTimeStamp from The Scripter Guy or Scripting Center

    I ran the script that came from this article. It returned an error that
    seems to indicate that the attribute is not set or null. The error
    description is "The directory property cannot be found in the cache."

    Our AD was first created in Windows 2000, and then promoted to Win2k3. How
    can I see the raw data about this attribute?
    If it is not set how can I start capturing this data through this attribute?

    The script is as follows:

    Set objUser = GetObject("LDAP://CN=User Name,OU= Team 1,OU=Team
    Set objLastLogon = objUser.Get("lastLogonTimestamp")

    intLastLogonTime = objLastLogon.HighPart * (2^32) + objLastLogon.LowPart
    intLastLogonTime = intLastLogonTime / (60 * 10000000)
    intLastLogonTime = intLastLogonTime / 1440

    Wscript.Echo "Last logon time: " & intLastLogonTime + #1/1/1601#
    Lamborghini, Mar 13, 2007
    1. Advertisements

  2. You can use ADSI Edit to view the actual value, but it will be huge number
    (or missing). The domain must be at W2k3 functional level for this attribute
    to be available.
    Richard Mueller [MVP], Mar 14, 2007
    1. Advertisements

  3. The lastLogon attribute is not replicated, even if your domain is at W2k3
    functional level. The lastLogonTimeStamp attribute is replicated. By default
    computer account passwords are reset every 30 days. It may take that long
    before the lastLogonTimeStamp attribute is populated. The lastLogon
    attribute is only populated on the DC that authenticates the account. After
    30 days if lastLogonTimeStamp is still not populated, either the computer is
    not attached to the domain or the DC's are not replicating.
    Richard Mueller [MVP], Nov 26, 2008
  4. First, the lastLogonTimeStamp attribute is only updated during
    authentication if the old value is more than 14 days (by default) in the
    past. It's purpose is to find old unused accounts. The value is only
    accurate within 14 days.

    I have an example VBScript program that retrieves the lastLogon attribute
    for all users in the domain linked here: Logon.htm

    This program uses ADO to query AD for the attribute values. As demonstrated
    in this program you can specify which specific DC is queried by including
    the DNS name of the DC in the binding string (or in this case, the base of
    the ADO query). Ordinarily this is not wise, as you usually don't care which
    DC responds, but this becomes necessary if the attribute is not replicated.
    For example, in VBScript to bind to a user object you might use a binding
    string similar to:

    Set objUser = GetObject("LDAP://cn=Jim Smith,ou=West,dc=MyDomain,dc=com")

    To bind to the copy of that object on a specific DC called MyServer you
    could use:

    Set objUser = GetObject("LDAP://

    The program I linked above retrieves the names of all DC's in the domain
    from the Configuration container, then queries each DC for the lastLogon
    attribute of all users. A dictionary object keeps track of the largest
    (latest) value for each user.
    Richard Mueller [MVP], Nov 26, 2008
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.