"Mike" <thelotu***@gmail.com> wrote in message
news:da43158c-2a08-47b4-b2de-7bb5acdb3504@a26g2000prf.googlegroups.com...
> Hello all- I am researching finding old user accounts so they can be
> deleted. I am finding a lot of user accounts have nothing set in the
> lastLogonTimestamp. I've found several conditions that will cause
> this. Of course if the domain is not at Windows Srv 2003 Func Level,
> this will not work, but that is not the case here, we are at the
> highest func level and all DCs are 2003 SP2. Also I found an MS KB
> article that described NTLM auths that would not increment this value,
> but that was supposedly fixed in Srv 2003 SP1 (and we have SP2).
>
> What I want to ask is, does anyone know any other conditions that
> would cause this value to be blank even if the user has logged in and
> is using the account? Some things I can think of are: users who use
> OWA from a public computer, and never log into Windows with the
> account, etc.

> "Mike" <thelotu***@gmail.com> wrote in message
>
> news:da43158c-2a08-47b4-b2de-7bb5acdb3504@a26g2000prf.googlegroups.com...
>
> > Hello all- I am researching finding old user accounts so they can be
> > deleted. I am finding a lot of user accounts have nothing set in the
> > lastLogonTimestamp. I've found several conditions that will cause
> > this. Of course if the domain is not at Windows Srv 2003 Func Level,
> > this will not work, but that is not the case here, we are at the
> > highest func level and all DCs are 2003 SP2. Also I found an MS KB
> > article that described NTLM auths that would not increment this value,
> > but that was supposedly fixed in Srv 2003 SP1 (and we have SP2).
>
> > What I want to ask is, does anyone know any other conditions that
> > would cause this value to be blank even if the user has logged in and
> > is using the account? Some things I can think of are: users who use
> > OWA from a public computer, and never log into Windows with the
> > account, etc.
>
> When the functional level is first raised, user objects have this attribute
> updated randomly over the next 14 days (to avoid too much replication
> traffic all at once). After that, the value is updated during logon if the
> old value is more than 14 days (by default) in the past. Does that account
> for what you see?
>
> --
> Richard Mueller
> MVP Directory Services
> Hilltop Lab -http://www.rlmueller.net
> --

> "Mike" <thelotu***@gmail.com> wrote in message
>
> news:da43158c-2a08-47b4-b2de-7bb5acdb3504@a26g2000prf.googlegroups.com...
>
> > Hello all- I am researching finding old user accounts so they can be
> > deleted. I am finding a lot of user accounts have nothing set in the
> > lastLogonTimestamp. I've found several conditions that will cause
> > this. Of course if the domain is not at Windows Srv 2003 Func Level,
> > this will not work, but that is not the case here, we are at the
> > highest func level and all DCs are 2003 SP2. Also I found an MS KB
> > article that described NTLM auths that would not increment this value,
> > but that was supposedly fixed in Srv 2003 SP1 (and we have SP2).
>
> > What I want to ask is, does anyone know any other conditions that
> > would cause this value to be blank even if the user has logged in and
> > is using the account? Some things I can think of are: users who use
> > OWA from a public computer, and never log into Windows with the
> > account, etc.
>
> When the functional level is first raised, user objects have this
> attribute
> updated randomly over the next 14 days (to avoid too much replication
> traffic all at once). After that, the value is updated during logon if the
> old value is more than 14 days (by default) in the past. Does that account
> for what you see?
>
> --
> Richard Mueller
> MVP Directory Services
> Hilltop Lab -http://www.rlmueller.net
> --

> "Mike" <thelotu***@gmail.com> wrote in message
>
> news:56228061-c8ab-4850-bd8e-c0589eb487de@a29g2000pra.googlegroups.com...
> On Dec 26, 10:55 pm, "Richard Mueller [MVP]" <rlmueller-
>
>
>
> nos...@ameritech.nospam.net> wrote:
> > "Mike" <thelotu***@gmail.com> wrote in message
>
> >news:da43158c-2a08-47b4-b2de-7bb5acdb3504@a26g2000prf.googlegroups.com....
>
> > > Hello all- I am researching finding old user accounts so they can be
> > > deleted. I am finding a lot of user accounts have nothing set in the
> > > lastLogonTimestamp. I've found several conditions that will cause
> > > this. Of course if the domain is not at Windows Srv 2003 Func Level,
> > > this will not work, but that is not the case here, we are at the
> > > highest func level and all DCs are 2003 SP2. Also I found an MS KB
> > > article that described NTLM auths that would not increment this value,
> > > but that was supposedly fixed in Srv 2003 SP1 (and we have SP2).
>
> > > What I want to ask is, does anyone know any other conditions that
> > > would cause this value to be blank even if the user has logged in and
> > > is using the account? Some things I can think of are: users who use
> > > OWA from a public computer, and never log into Windows with the
> > > account, etc.
>
> > When the functional level is first raised, user objects have this
> > attribute
> > updated randomly over the next 14 days (to avoid too much replication
> > traffic all at once). After that, the value is updated during logon if the
> > old value is more than 14 days (by default) in the past. Does that account
> > for what you see?
>
> > --
> > Richard Mueller
> > MVP Directory Services
> > Hilltop Lab -http://www.rlmueller.net
> > --
>
> Hi Richard- thanks for your reply. The domain has been at this
> functional level for the past year at least, so I don't think the 14
> day replication delay would explain this. So from what I can tell
> here, if the lastLogonTimestamp is blank, then this would indicate
> that these users have never logged in. This is quite possible, many of
> the accounts I have spot-checked have never set their password at
> first logon.
>
> Can I ask you a separate question. I am a bit new to vbscript and am
> using your script from 'http://www.rlmueller.net/Programs/
> LastLogonTimeStamp.txt' and it works great, thanks. I want to add some
> fields to the output so I can do some more sleuthing on these
> accounts. I tried to add displayName as a test as show below, but got
> the error you see at the end. Can you advise me how can I ad fields to
> the resulting query so I have more information to work with? I'd like
> to get a few different fields: userAccountControl, pwdLastSet,
> homeMDB, and expirationTime.
>
> Dim lngBias, k, strDN, strDisplayName, dtmDate, objDate
>
> ' Enumerate resulting recordset.
> Do Until adoRecordset.EOF
>    ' Retrieve attribute values for the user.
>     strDN = adoRecordset.Fields("distinguishedName").Value
>     strDisplayName = adoRecordset.Fields("displayName").Value
>
> c:\LastLogonTimeStamp.vbs (80, 5) ADODB.Recordset: Item cannot be
> found in the collection corresponding to the requested name or
> ordinal.
>
> -----------------------------
>
> Add the attribute names to the comma delimited list of attributes to be
> retrieved. For example:
> ==========
> ' Comma delimited list of attribute values to retrieve.
> strAttributes = "distinguishedName,lastLogonTimeStamp,displayName"
> =======
> You can add all attribute LDAP names you want to retrieve. For
> userAccountControl you can display the integer value, but you must test with
> a bit mask to determine which bits are set, and thus which settings apply..
> For example:
> ========
> ' Define bit mask for "Account Disabled".
> Const ADS_UF_ACCOUNTDISABLE = &H02
>
> lngFlag = CLng(adoRecordset.Fields("userAccountControl").Value)
>
> If (lngFlag And ADS_UF_ACCOUNTDISABLE) <> 0 Then
>     Wscript.Echo "Account is disabled"
> Else
>     Wscript.Echo "Account is NOT disabled"
> End If
> =====
> You use the And operator and a bit mask to test each setting. See the link
> below for more bit masks. Any non-zero result means the bit is set, a zero
> result means the bit is not set. The pwdLastSet attribute is Integer8, just
> like lastLogonTimeStamp, so you must use the same technique to convert the
> 64-bit value to a date/time in the current time zone. There is no
> expirationTime attribute, but there is an accountExpires attribute, another
> Integer8. This example VBScript program demonstrates how to handle Integer8
> attributes and userAccountControl using functions (user defined functions
> GetFlags and Integer8Date):
>
> http://www.rlmueller.net/DocumentUsers.htm
>
> This program might be a better starting point for what you are trying to do.
>
> --
> Richard Mueller
> MVP Directory Services
> Hilltop Lab -http://www.rlmueller.net
> --

> "Mike" <thelotu***@gmail.com> wrote in message
>
> news:56228061-c8ab-4850-bd8e-c0589eb487de@a29g2000pra.googlegroups.com...
> On Dec 26, 10:55 pm, "Richard Mueller [MVP]" <rlmueller-
>
>
>
> nos...@ameritech.nospam.net> wrote:
> > "Mike" <thelotu***@gmail.com> wrote in message
>
> >news:da43158c-2a08-47b4-b2de-7bb5acdb3504@a26g2000prf.googlegroups.com....
>
> > > Hello all- I am researching finding old user accounts so they can be
> > > deleted. I am finding a lot of user accounts have nothing set in the
> > > lastLogonTimestamp. I've found several conditions that will cause
> > > this. Of course if the domain is not at Windows Srv 2003 Func Level,
> > > this will not work, but that is not the case here, we are at the
> > > highest func level and all DCs are 2003 SP2. Also I found an MS KB
> > > article that described NTLM auths that would not increment this value,
> > > but that was supposedly fixed in Srv 2003 SP1 (and we have SP2).
>
> > > What I want to ask is, does anyone know any other conditions that
> > > would cause this value to be blank even if the user has logged in and
> > > is using the account? Some things I can think of are: users who use
> > > OWA from a public computer, and never log into Windows with the
> > > account, etc.
>
> > When the functional level is first raised, user objects have this
> > attribute
> > updated randomly over the next 14 days (to avoid too much replication
> > traffic all at once). After that, the value is updated during logon if the
> > old value is more than 14 days (by default) in the past. Does that account
> > for what you see?
>
> > --
> > Richard Mueller
> > MVP Directory Services
> > Hilltop Lab -http://www.rlmueller.net
> > --
>
> Hi Richard- thanks for your reply. The domain has been at this
> functional level for the past year at least, so I don't think the 14
> day replication delay would explain this. So from what I can tell
> here, if the lastLogonTimestamp is blank, then this would indicate
> that these users have never logged in. This is quite possible, many of
> the accounts I have spot-checked have never set their password at
> first logon.
>
> Can I ask you a separate question. I am a bit new to vbscript and am
> using your script from 'http://www.rlmueller.net/Programs/
> LastLogonTimeStamp.txt' and it works great, thanks. I want to add some
> fields to the output so I can do some more sleuthing on these
> accounts. I tried to add displayName as a test as show below, but got
> the error you see at the end. Can you advise me how can I ad fields to
> the resulting query so I have more information to work with? I'd like
> to get a few different fields: userAccountControl, pwdLastSet,
> homeMDB, and expirationTime.
>
> Dim lngBias, k, strDN, strDisplayName, dtmDate, objDate
>
> ' Enumerate resulting recordset.
> Do Until adoRecordset.EOF
>    ' Retrieve attribute values for the user.
>     strDN = adoRecordset.Fields("distinguishedName").Value
>     strDisplayName = adoRecordset.Fields("displayName").Value
>
> c:\LastLogonTimeStamp.vbs (80, 5) ADODB.Recordset: Item cannot be
> found in the collection corresponding to the requested name or
> ordinal.
>
> -----------------------------
>
> Add the attribute names to the comma delimited list of attributes to be
> retrieved. For example:
> ==========
> ' Comma delimited list of attribute values to retrieve.
> strAttributes = "distinguishedName,lastLogonTimeStamp,displayName"
> =======
> You can add all attribute LDAP names you want to retrieve. For
> userAccountControl you can display the integer value, but you must test with
> a bit mask to determine which bits are set, and thus which settings apply..
> For example:
> ========
> ' Define bit mask for "Account Disabled".
> Const ADS_UF_ACCOUNTDISABLE = &H02
>
> lngFlag = CLng(adoRecordset.Fields("userAccountControl").Value)
>
> If (lngFlag And ADS_UF_ACCOUNTDISABLE) <> 0 Then
>     Wscript.Echo "Account is disabled"
> Else
>     Wscript.Echo "Account is NOT disabled"
> End If
> =====
> You use the And operator and a bit mask to test each setting. See the link
> below for more bit masks. Any non-zero result means the bit is set, a zero
> result means the bit is not set. The pwdLastSet attribute is Integer8, just
> like lastLogonTimeStamp, so you must use the same technique to convert the
> 64-bit value to a date/time in the current time zone. There is no
> expirationTime attribute, but there is an accountExpires attribute, another
> Integer8. This example VBScript program demonstrates how to handle Integer8
> attributes and userAccountControl using functions (user defined functions
> GetFlags and Integer8Date):
>
> http://www.rlmueller.net/DocumentUsers.htm
>
> This program might be a better starting point for what you are trying to do.
>
> --
> Richard Mueller
> MVP Directory Services
> Hilltop Lab -http://www.rlmueller.net
> --