lastLogonTimestamp not set! Mike <thelotus99[ at ]gmail.com> 12/27/2008 1:23:40 AM Hello all- I am researching finding old user accounts so they can be deleted. I am finding a lot of user accounts have nothing set in the lastLogonTimestamp. I've found several conditions that will cause this. Of course if the domain is not at Windows Srv 2003 Func Level, this will not work, but that is not the case here, we are at the highest func level and all DCs are 2003 SP2. Also I found an MS KB article that described NTLM auths that would not increment this value, but that was supposedly fixed in Srv 2003 SP1 (and we have SP2). What I want to ask is, does anyone know any other conditions that would cause this value to be blank even if the user has logged in and is using the account? Some things I can think of are: users who use OWA from a public computer, and never log into Windows with the account, etc.

Re: lastLogonTimestamp not set! "Richard Mueller [MVP]" <rlmueller-nospam[ at ]ameritech.nospam.net> 12/27/2008 4:55:45 AM "Mike" <thelotus99[ at ]gmail.com> wrote in message news:da43158c-2a08-47b4-b2de-7bb5acdb3504[ at ]a26g2000prf.googlegroups.com... [Quoted Text] > Hello all- I am researching finding old user accounts so they can be > deleted. I am finding a lot of user accounts have nothing set in the > lastLogonTimestamp. I've found several conditions that will cause > this. Of course if the domain is not at Windows Srv 2003 Func Level, > this will not work, but that is not the case here, we are at the > highest func level and all DCs are 2003 SP2. Also I found an MS KB > article that described NTLM auths that would not increment this value, > but that was supposedly fixed in Srv 2003 SP1 (and we have SP2). > > What I want to ask is, does anyone know any other conditions that > would cause this value to be blank even if the user has logged in and > is using the account? Some things I can think of are: users who use > OWA from a public computer, and never log into Windows with the > account, etc. When the functional level is first raised, user objects have this attribute updated randomly over the next 14 days (to avoid too much replication traffic all at once). After that, the value is updated during logon if the old value is more than 14 days (by default) in the past. Does that account for what you see? -- Richard Mueller MVP Directory Services Hilltop Lab - http://www.rlmueller.net --

Re: lastLogonTimestamp not set! Mike <thelotus99[ at ]gmail.com> 12/30/2008 6:11:39 PM On Dec 26, 10:55 pm, "Richard Mueller [MVP]" <rlmueller- nos...[ at ]ameritech.nospam.net> wrote: [Quoted Text] > "Mike" <thelotu...[ at ]gmail.com> wrote in message > > news:da43158c-2a08-47b4-b2de-7bb5acdb3504[ at ]a26g2000prf.googlegroups.com... > > > Hello all- I am researching finding old user accounts so they can be > > deleted. I am finding a lot of user accounts have nothing set in the > > lastLogonTimestamp. I've found several conditions that will cause > > this. Of course if the domain is not at Windows Srv 2003 Func Level, > > this will not work, but that is not the case here, we are at the > > highest func level and all DCs are 2003 SP2. Also I found an MS KB > > article that described NTLM auths that would not increment this value, > > but that was supposedly fixed in Srv 2003 SP1 (and we have SP2). > > > What I want to ask is, does anyone know any other conditions that > > would cause this value to be blank even if the user has logged in and > > is using the account? Some things I can think of are: users who use > > OWA from a public computer, and never log into Windows with the > > account, etc. > > When the functional level is first raised, user objects have this attribute > updated randomly over the next 14 days (to avoid too much replication > traffic all at once). After that, the value is updated during logon if the > old value is more than 14 days (by default) in the past. Does that account > for what you see? > > -- > Richard Mueller > MVP Directory Services > Hilltop Lab -http://www.rlmueller.net > -- Hi Richard- thanks for your reply. The domain has been at this functional level for the past year at least, so I don't think the 14 day replication delay would explain this. So from what I can tell here, if the lastLogonTimestamp is blank, then this would indicate that these users have never logged in. This is quite possible, many of the accounts I have spot-checked have never set their password at first logon. Can I ask you a separate question. I am a bit new to vbscript and am using your script from 'http://www.rlmueller.net/Programs/ LastLogonTimeStamp.txt' and it works great, thanks. I want to add some fields to the output so I can do some more sleuthing on these accounts. I tried to add displayName as a test as show below, but got the error you see at the end. Can you advise me how can I ad fields to the resulting query so I have more information to work with? I'd like to get a few different fields: userAccountControl, pwdLastSet, homeMDB, and expirationTime. Dim lngBias, k, strDN, strDisplayName, dtmDate, objDate ' Enumerate resulting recordset. Do Until adoRecordset.EOF ' Retrieve attribute values for the user. strDN = adoRecordset.Fields("distinguishedName").Value strDisplayName = adoRecordset.Fields("displayName").Value c:\LastLogonTimeStamp.vbs (80, 5) ADODB.Recordset: Item cannot be found in the collection corresponding to the requested name or ordinal.