Hi,
I am trying to get rid of the 'stale accounts' in our Active Directory. I
read about the LastLogonTimeStamp from The Scripter Guy or Scripting Center
at
http://www.microsoft.com/technet/scriptcenter/topics/win2003/lastlogon.mspx

I ran the script that came from this article. It returned an error that
seems to indicate that the attribute is not set or null. The error
description is "The directory property cannot be found in the cache."

Our AD was first created in Windows 2000, and then promoted to Win2k3. How
can I see the raw data about this attribute?
If it is not set how can I start capturing this data through this attribute?

The script is as follows:

Set objUser = GetObject("LDAP://CN=User Name,OU= Team 1,OU=Team
2,DC=xxx,DC=yyy,DC=zzzz")
Set objLastLogon = objUser.Get("lastLogonTimestamp")

intLastLogonTime = objLastLogon.HighPart * (2^32) + objLastLogon.LowPart
intLastLogonTime = intLastLogonTime / (60 * 10000000)
intLastLogonTime = intLastLogonTime / 1440

Wscript.Echo "Last logon time: " & intLastLogonTime + #1/1/1601#

Show quote Hide quote You can use ADSI Edit to view the actual value, but it will be huge number
(or missing). The domain must be at W2k3 functional level for this attribute
to be available.

I have a large number of computer accounts that have NULL in the lastlogon attribute.  The domain was originally  Win 2000 and was upgraded to Win 2003.  Are these older computers null because they have not logged on since the domain was upgraded? -- Bluenoser ------------------------------------------------------------------------ Bluenoser's Profile: http://forums.techarena.in/members/bluenoser.htm View this thread: http://forums.techarena.in/server-scripting/704739.htmhttp://forums.techarena.in

The lastLogon attribute is not replicated, even if your domain is at W2k3
functional level. The lastLogonTimeStamp attribute is replicated. By default
computer account passwords are reset every 30 days. It may take that long
before the lastLogonTimeStamp attribute is populated. The lastLogon
attribute is only populated on the DC that authenticates the account. After
30 days if lastLogonTimeStamp is still not populated, either the computer is
not attached to the domain or the DC's are not replicating.

Thanks very much for the response. 

If I use ADSI to query the AD I don't think I have any way of knowing which DC returned the response.  I have been using lastlogin which you say is not replicated.  I checked lastlogontimestamp and all my computers are NULL, whereas a lot have a date in lastlogon.

It also looks like from your response that the lastLogonTimeStamp is only reliable for periods greater than 30 days.  Is it a best practice to never assume a computer is inactive if that date is less than 30 days?

Thanks,
Brent -- Bluenoser ------------------------------------------------------------------------ Bluenoser's Profile: http://forums.techarena.in/members/bluenoser.htm View this thread: http://forums.techarena.in/server-scripting/704739.htmhttp://forums.techarena.in

I think I understand the issue better now.  lastlogon does not replicate.  lastlogontimestamp is null because our AD is not a true native win2003 version yet. 

Now my question is how do I direct an ADSI query to force a specific DC to respond so I can check the non-replicated attribute? -- Bluenoser ------------------------------------------------------------------------ Bluenoser's Profile: http://forums.techarena.in/members/bluenoser.htm View this thread: http://forums.techarena.in/server-scripting/704739.htmhttp://forums.techarena.in

First, the lastLogonTimeStamp attribute is only updated during
authentication if the old value is more than 14 days (by default) in the
past. It's purpose is to find old unused accounts. The value is only
accurate within 14 days.

I have an example VBScript program that retrieves the lastLogon attribute
for all users in the domain linked here:

http://www.rlmueller.net/Last%20Logon.htm

This program uses ADO to query AD for the attribute values. As demonstrated
in this program you can specify which specific DC is queried by including
the DNS name of the DC in the binding string (or in this case, the base of
the ADO query). Ordinarily this is not wise, as you usually don't care which
DC responds, but this becomes necessary if the attribute is not replicated.
For example, in VBScript to bind to a user object you might use a binding
string similar to:

Set objUser = GetObject("LDAP://cn=Jim Smith,ou=West,dc=MyDomain,dc=com")

To bind to the copy of that object on a specific DC called MyServer you
could use:

Set objUser = GetObject("LDAP://MyServer.MyDomain.com/cn=Jim
Smith,ou=West,dc=MyDomain,dc=com")

The program I linked above retrieves the names of all DC's in the domain
from the Configuration container, then queries each DC for the lastLogon
attribute of all users. A dictionary object keeps track of the largest
(latest) value for each user.

Show quoteHide quote

Thank you very much for taking the time to look at this.  I have it working great now thanks to your help. -- Bluenoser ------------------------------------------------------------------------ Bluenoser's Profile: http://forums.techarena.in/members/bluenoser.htm View this thread: http://forums.techarena.in/server-scripting/704739.htmhttp://forums.techarena.in

VBS works on Client, Not on Server
Ping from a spreadsheet and write results
virus from microsoft
Applying user settings based on computer location
Audit Exchange Mailbox Permissions IMailboxStore