LDAP query returns NULL data

Discussion in 'Active Directory' started by Drew, Dec 7, 2005.

  Drew

    Drew Guest

    I have been running a VBscript which queries for the lastlogon attribute
    using LDAP for each user on the DC. In ~10% of the accounts, the query is
    returning a NULL value, even though I know the users are logging into the
    domain with these accounts. I looked up the accounts using Microsoft's tool
    "Account lockout status" and it also shows no logon data for these accounts.

    I then installed the Acctinfo.dll file and when I look at these accounts
    using "User and Computers" and look at the "Additional Acccount Info" tab,
    the accounts that were returned with NULL values all have last logon dates
    here. So what ever method the acctinfo.dll file is using, it is able to
    access the lastlogon attribute data for these accounts, however LDAP and
    Account Lockout Status is unable to......

    anyone have any ideas as to what is causing this? I'm curious if others have
    experienced the same problem with other attributes
    Drew, Dec 7, 2005
  2. Each domain controller holds its' own last logon attribute.
    You have to interrogate all of them.

    In W2K3, there is lastLogonTimeStamp.
    See tip 9800 ยป How is the lastLogonTimeStamp attribute replicated in a Windows Server 2003 domain?
    in the 'Tips & Tricks' at http://www.jsifaq.com

    Jerold Schulman
    Windows Server MVP
    JSI, Inc.
    Jerold Schulman, Dec 7, 2005
  Drew

    Drew Guest

    I'm aware of this. I can directly connect to DC3, look at the accout info
    tab, get the last logon value for a user on DC3. The run an LDAP query on
    that user, on DC3, and it returns a NULL value
    Drew, Dec 7, 2005
