Aging User objects with Active Directory

TheMSsForum.com: The Microsoft Software Forum

Anyone know if there is something other then the "accountExpires" attribute
on User objects which can be used to "age" user objects? I would like to be
able to delete a user object after it has reached a certain age, anyway to
accompish this?
--
Rick B., CISSP
Top

RE: Aging User objects with Active Directory by WongTuckWah

WongTuckWah
Mon Aug 08 16:16:06 CDT 2005

I am not a developer but I did come across some scriptings available in MS
Script Center. You might need to tweak the scripting inorder to achieve what
you want.

Take a look at this site for AD account status:

http://www.microsoft.com/technet/scriptcenter/scripts/ad/users/status/default.mspx

HTH.
Top

Re: Aging User objects with Active Directory by Joe

Joe
Mon Aug 08 16:47:01 CDT 2005

Common attributes are

pwdLastSet
lastLogonTimeStamp

Check out oldcmp on my website, people seem to like it

http://www.joeware.net/win/free/tools/oldcmp.htm


--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net


RickB wrote:
> Anyone know if there is something other then the "accountExpires" attribute
> on User objects which can be used to "age" user objects? I would like to be
> able to delete a user object after it has reached a certain age, anyway to
> accompish this?
Top

Re: Aging User objects with Active Directory by LS

LS
Wed Aug 10 16:33:58 CDT 2005

> Common attributes are
>
> pwdLastSet
> lastLogonTimeStamp
>

I warn you to be careful in a scenario where you have multiple domain
controllers in the same domain.
The lastlogontimestamp can be different on each DC


Top

Re: Aging User objects with Active Directory by Joe

Joe
Mon Aug 15 17:12:06 CDT 2005

No it can't. That attribute is replicated. Well I guess it could, but
replication would have to be broken or hasn't completed.

lastLogon isn't replicated and can have different values.

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net


LS wrote:
>>Common attributes are
>>
>>pwdLastSet
>>lastLogonTimeStamp
>>
>
>
> I warn you to be careful in a scenario where you have multiple domain
> controllers in the same domain.
> The lastlogontimestamp can be different on each DC
>
>
Top

Re: Aging User objects with Active Directory by Torgeir

Torgeir
Tue Aug 16 11:00:33 CDT 2005

LS wrote:

>>Common attributes are
>>
>>pwdLastSet
>>lastLogonTimeStamp
>>
>
> I warn you to be careful in a scenario where you have multiple
> domain controllers in the same domain.
> The lastlogontimestamp can be different on each DC
>
Hi,

The lastLogonTimestamp attribute is replicated.

From the docs for lastLogonTimestamp:

http://msdn.microsoft.com/library/en-us/adschema/ad/adam_a_lastlogontimestamp.asp

<quote>
Last-Logon-Timestamp
This is the time that the user last logged into the domain. This value
is only updated when the user logs in if a week has passed since the
last update. This value is replicated.
</quote>

http://www.microsoft.com/resources/documentation/WindowsServ/2003/enterprise/proddocs/en-us/dsadmin_concepts_accounts.asp

<quote>
When the domain functional level has been set to Windows Server 2003,
a new lastLogonTimestamp attribute is used to track the last logon
time of a user or computer account.
</quote>


The above is relevant for both user and computer accounts. Note the
once a week update only part and the Windows Server 2003 domain
functional level prerequisite.



A "Scripting Guys" article about lastLogonTimestamp:

Dandelions, VCR Clocks, and Last Logon Times: These are a Few of Our
Least Favorite Things
http://www.microsoft.com/technet/scriptcenter/topics/win2003/lastlogon.mspx



--
torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
Administration scripting examples and an ONLINE version of
the 1328 page Scripting Guide:
http://www.microsoft.com/technet/scriptcenter/default.mspx
Top