Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

AD 2003 Query

Posted on 2009-07-03
8
Medium Priority
?
228 Views
Last Modified: 2012-05-07
Hello EEs

In my AD 2003 environment, I need to create a query of the Day since Last logon in increments of 30-180 days. I can locate this in the New Query creation box, however, I am looking at querying a created container in the OU.

Is it possible to locate the logon dates of any container in the OU with these dates? If so, please advise.

I see the Common Queries selection in the Find drop down box which has the option to select the dates, however, I am unable to run a successful query. I have ran a query that locates all these containers, now I just need to associate them with their logon dates.
0
Comment
Question by:lazik
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
8 Comments
 
LVL 71

Expert Comment

by:Chris Dent
ID: 24774596

Containers? As in Users?

Chris
0
 

Author Comment

by:lazik
ID: 24774634
Yes, but Org boxes, not the Users container.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 24774689

Okay, but you still want the value from the users, right? :)

LastLogon is a bit of a tricky one, it doesn't replicate which means you'll get different values for it depending on the Domain Controller you ask.

Do you have more than one Domain Controller?

As an alternative there's lastLogonTimeStamp, this value replicates meaning you can check it anywhere but can be up to 14 days out of date. If you wish to use AD Users and Computers you'd have to put up with it, otherwise scripting is going to be required (not much bother, there are a lot of pre-built scripts for this).

Chris
0
NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

 

Author Comment

by:lazik
ID: 24774718
All I require is if teh Org Boxes are stale past certain dates..30-180...Several DCs here, and I prefer not to do a script since I am new here. On the Org Boxes under the Object tab there is the Modified date, however, this is different from the last logon when I look at the actual mailbox.

So at this point, I need to look at each mailbox and verify the last logon and write it down seperatly?
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 24774752

Exchange will store a last logon for a mailbox, but that isn't necessarily for the user who owns the mailbox (it also stores which account did).

In AD you have either lastLogon, or lastLogonTimeStamp the first is accurate, but will need scripting to get accuracy. lastLogonTimeStamp can be queried easily, a bit of an advantage, but accuracy is down with the limited updates.

lastModified is really that, every change to the account, from password changes, to attribute updates will change that value.

Which do you actually need?

You know, you might think about grabbing OldCmp, the name suggests it's for computers only, but it will work for user accounts. It will generate a pretty report containing every attribute which can be used to determine whether an account is stale or not.

http://www.joeware.net/freetools/tools/oldcmp/index.htm

No scripting required :)

Chris
0
 

Author Comment

by:lazik
ID: 24774775
I need the last logon date of these Org boxes, reason is to begin cleanup on old boxes that have not been used in x days. I was tasked with locating all of them, which I have, over 500 of them, now I need to associate the last logon date with them so deletion can begin. I do not want to d/l and tools to complete this task, that decision is up to my supervisor, however, I all require is the last logon for all these boxes and presumed the query could do this.
0
 
LVL 71

Accepted Solution

by:
Chris Dent earned 2000 total points
ID: 24776390
If you wish to see the value associated with each account you have no choice but to script it, or download something to do it for you.

lastLogon and lastLogonTimeStamp are stored as the number of 100 nanosecond intervals since 01/01/1601 00:00:00. That is the format of the value which must be used in any query for these, and the format which must be converted if you're to make it into a readable date.

I wrote a very small script (VbScript, save as .vbs) to deal with generating a filter (see below).

That may not be ideal if you're constrained by whatever is already there. Although I would say this is simply learning a bit of scripting, an extremely valuable tool for any Sys Admin / Engineer.

If you really must stick with whatever is already there then this is probably the best bet:

dsquery user -inactive 4 -limit 0

Where the "-inactive" period is a value in weeks (the example here being 28 days). It won't show you the date, only those accounts which have been inactive for a number of weeks or longer.

Chris
' Number of days from current
Const PERIOD_TO_REMOVE = 180
 
dblInt8 = CDbl(DateDiff("s", CDate("01/01/1601 00:00:00"), Now - PERIOD_TO_REMOVE))
WScript.Echo "Query: (&(objectClass=computer)(lastLogonTimeStamp<=" & CStr(dblInt8) & "0000000)(!lastLogonTimeStamp=0))"

Open in new window

0
 

Author Closing Comment

by:lazik
ID: 31599680
thanks chris
0

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question