Scripts Thread, Powershell Help in Coding and Web Development; Depends on what you want to do. Whenever I've set about finding old users or computers I haven't cared about ...
30th January 2012, 11:36 PM #16
Depends on what you want to do. Whenever I've set about finding old users or computers I haven't cared about precision, so I'd be happy to use LastLogonTimestamps more than say 100 days old and not worry if that sometimes gets a few accounts that actually last logged on 84-100 days ago coz they're old too.
Chasing round for the freshest LastLogon is the kind of thing I'd do if I wanted to know if someone (or a computer) logged on recently e.g. this morning, yesterday etc.,
Thanks to PiqueABoo from:
FN-GM (31st January 2012)
IDG Tech News
30th January 2012, 11:56 PM #17
Would you know how to make the script chase around please? I assume it would be allot of work?
I may Google to see if there is a way to increase the replication period or if there is a way to force the attribute to replicate then run the script. What are your thoughts please?
Thanks for your help.
31st January 2012, 01:23 AM #18
Can you just confirm i have got something correct.
When the users logs on, it will check the DC to see if the timestamp is older than 14 days. If it is older than 14 days it updates it with a new one. If it is under 14 it ignores it. Because of this you wont end up with this scenario:
On July 2, the script disables account_A. On July 4, the admin enables the account so that account_A can log in. On July 9, the script runs again and the account is disabled again.
31st January 2012, 06:19 AM #19
Have you seen this?
Originally Posted by FN-GM
“The LastLogonTimeStamp Attribute” – “What it was designed for and how it works” « Ask the Directory Services Team
If you need more accuracy, you could query the event logs...
It is important to note that the intended purpose of the lastLogontimeStamp attribute to help identify inactive computer and user accounts. The lastLogon attribute is not designed to provide real time logon information. With default settings in place the lastLogontimeStamp will be 9-14 days behind the current date.
If you are looking for more “real-time” logon tracking you will need to query the Security Event log on your DC’s for the desired logon events i.e. 528 –Windows XP/2003 and earlier or 4624 Windows Vista/2008. See this blog post
by Eric Fitzgerald for more info. (I think he knows something about auditing)
IMO your best bet for near real-time data is to use an event log collection service to gather all domain controller security event logs to a centralized database. You can then query a single database for the desired logon events. Microsoft’s solution for security event log collection is Audit Collection Services
. There are many 3rd party solutions as well.
31st January 2012, 07:53 AM #20
I have read it thanks. I think i am going to reduce the time on the attribute to 7 days.
6th February 2012, 12:10 AM #21
Originally Posted by FN-GM
Does anyone have any suggestions regarding this please?
By Shark in forum Scripts
Last Post: 27th October 2011, 07:35 PM
By RabbieBurns in forum Scripts
Last Post: 13th May 2010, 10:12 AM
By mbedford in forum Coding
Last Post: 1st August 2009, 04:25 PM
By maf_001 in forum Coding
Last Post: 14th June 2009, 09:57 PM
By ezzauk in forum Windows
Last Post: 25th September 2008, 02:02 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)