Get-QADUser PasswordLastSet child domain vs global catalog mismatch

Posted on 2012-09-21
Last Modified: 2012-10-08
I was using some powershell code I found online to remind OWA users (that don't get reminder from windows when they log in) that their pwd was going to expire.  I found this code to allow one script to serve for both parent and child domain accounts. But the value for PasswordLastSet doesn't match between the info at the child domain controller and the GC...

When I run Get-QADUser username -SearchRoot "DC=mydomain,DC=com" -UserGlobalCatalog | select SamAccountName, PasswordLastSet,Domain

I get

SamAccountName   PasswordLastSet             Domain
username                9/29/2011 ...                  CHILD

When I run GetQADUser username -Service "" | select SamAccountName, PasswordLastSet,Domain

I get the correct Pwd last set value

SamAccountName   PasswordLastSet             Domain
username                9/17/2012 ...                  CHILD

What is wrong w/ my AD if the global catalog doesn't appear to be receiving the updated information?  How to fix so GC has the up to date info?
Question by:schraudog
    LVL 12

    Accepted Solution


    Run the following command. You need to install resource kit tools repadmin /syncall or alternatively use replmon and manually sync the dc/gc or use active directory sites and services to sync the info.

    ExchangeADTech [v-2nas]

    Author Comment

    when I do repadmin /syncall, the  command completes successfully

    C:\Users\Administrator.mydomain>repadmin /syncall
    CALLBACK MESSAGE: The following replication is in progress:
        To  :
    CALLBACK MESSAGE: The following replication completed successfully:
        To  :
    CALLBACK MESSAGE: SyncAll Finished.
    SyncAll terminated with no errors.

    But that is sync'ing betwen GC's in the parent only.  No mention of syncing w/ the child DC.  We don't seem to have any problems that we know about other than this field PasswordLastSet.  Perhaps we have issues we don't know about.
    LVL 12

    Expert Comment


    Do you have 2 users with same samaccountname in parent and child domain?

    LVL 40

    Expert Comment

    I couldn't find any details on the PasswordLastSet property returned by Get-QADUser. I presume Get-QADUser converts the value in the pwdLastSet attribute in to a date. If so, the pwdLastSet attribute is not replicated/stored in the global catalog by default and this search cannot be performed across an entire forest.

    Pwd-Last-Set attribute

    Author Comment

    In the end, we found there was a replication issue between child domain and parent.  The child domain had a corrupt AD database that needed to be defragged offline using these directions.

    Now when running:
    Get-QADUser username -SearchRoot "DC=mydomain,DC=com" -UseGlobalCatalog
    and running:
    GetQADUser username -Service ""
    they both return the same PasswordLastSet.  It is just the command using the GlobalCatalog is a LOT faster.

    I give v-2nas the points as repadmin /syncall didn't answer my question, it did put me on the right track.  thanks.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Join & Write a Comment

    The article will show you how you can maintain a simple logfile of all Startup and Shutdown events on Windows servers and desktops with PowerShell. The script can be easily adapted into doing more like gracefully silencing/updating your monitoring s…
    This is a PowerShell web interface I use to manage some task as a network administrator. Clicking an action button on the left frame will display a form in the middle frame to input some data in textboxes, process this data in PowerShell and display…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

    730 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now