Windows Tip Sheet
Return to the Last Logon
Find out when your domain users last logged in to disable old, inactive accounts.
I’ve written before about the new lastLogonTimeStamp attribute in Active
Directory. It’s new in Win2003, and only available in all-Win2003 domains
(that is, all domain controllers running Win2003) operating at the highest domain
functional level. Unlike previous “last login” attributes,
this
one is replicated, meaning you can query just one DC to get an accurate readout
of all domain users’ last logon -- great for picking out old accounts
that need to be disabled or deleted. In fact, running
Dsquery
user domainroot –inactive 4 uses lasLogonTimeStamp to show all
users who’ve been inactive for four weeks or more.
The attribute’s replication doesn’t work quite like other AD attributes,
though. Normally, the attribute is only replicated every 10 to 14 days
(AD chooses a random value in that range), meaning your lastLogonTimeStamp data
can be two weeks out of date. So if you’re querying users who’ve
been inactive for four weeks, you have to figure plus or minus two weeks. You
might just want to query for users who have been inactive for six weeks (this
gives you a four-to-six week range), to avoid catching ones who’ve really
only been inactive for two. Also, users who’ve never logged on since the
domain’s functional level was raised can have a Null value for lastLogonTimeStamp,
or the attribute may not seem to exist for the account.
Like everything else in AD, you can change the interval. Keep in mind that
doing so can trigger excessive domain-wide replication with every user logon,
so don’t go nuts with this -- there’s likely a good reason Microsoft
picked the 14-day interval, right? The attribute to modify is msDS-LogonTimeSyncInterval;
it’s an attribute of the domain object within AD and you’ll need
to use something like ADSIEdit to modify it.
More Resources:
- Microsoft’s official information on this is here,
but it’s pretty detailed -- be sure you have some time on your hands.
Scroll down to “Stale Account Deletion” about three-fourths of
the way down the page.
- A good batch file example of using this attribute can be found here.
About the Author
Don Jones is a multiple-year recipient of Microsoft’s MVP Award, and is Curriculum Director for IT Pro Content for video training company Pluralsight. Don is also a co-founder and President of PowerShell.org, a community dedicated to Microsoft’s Windows PowerShell technology. Don has more than two decades of experience in the IT industry, and specializes in the Microsoft business technology platform. He’s the author of more than 50 technology books, an accomplished IT journalist, and a sought-after speaker and instructor at conferences worldwide. Reach Don on Twitter at @concentratedDon, or on Facebook at Facebook.com/ConcentratedDon.