Get-QADUser PasswordLastSet child domain vs global catalog mismatch

Posted on 2012-09-21
Medium Priority
Last Modified: 2012-10-08
I was using some powershell code I found online to remind OWA users (that don't get reminder from windows when they log in) that their pwd was going to expire.  I found this code to allow one script to serve for both parent and child domain accounts. But the value for PasswordLastSet doesn't match between the info at the child domain controller and the GC...

When I run Get-QADUser username -SearchRoot "DC=mydomain,DC=com" -UserGlobalCatalog | select SamAccountName, PasswordLastSet,Domain

I get

SamAccountName   PasswordLastSet             Domain
username                9/29/2011 ...                  CHILD

When I run GetQADUser username -Service "childdc.mydomain.com" | select SamAccountName, PasswordLastSet,Domain

I get the correct Pwd last set value

SamAccountName   PasswordLastSet             Domain
username                9/17/2012 ...                  CHILD

What is wrong w/ my AD if the global catalog doesn't appear to be receiving the updated information?  How to fix so GC has the up to date info?
Question by:schraudog
  • 2
  • 2
LVL 12

Accepted Solution

Navdeep earned 1500 total points
ID: 38427850

Run the following command. You need to install resource kit tools repadmin /syncall or alternatively use replmon and manually sync the dc/gc or use active directory sites and services to sync the info.

ExchangeADTech [v-2nas]

Author Comment

ID: 38428770
when I do repadmin /syncall, the  command completes successfully

C:\Users\Administrator.mydomain>repadmin /syncall
CALLBACK MESSAGE: The following replication is in progress:
    From: d56c4641-30c6-4667-95bc-cd416b4e4e93._msdcs.mydomain.com
    To  : 7e1e3ffa-71a9-4dee-847f-d6a741c041cd._msdcs.mydomain.com
CALLBACK MESSAGE: The following replication completed successfully:
    From: d56c4641-30c6-4667-95bc-cd416b4e4e93._msdcs.mydomain.com
    To  : 7e1e3ffa-71a9-4dee-847f-d6a741c041cd._msdcs.mydomain.com
SyncAll terminated with no errors.

But that is sync'ing betwen GC's in the parent only.  No mention of syncing w/ the child DC.  We don't seem to have any problems that we know about other than this field PasswordLastSet.  Perhaps we have issues we don't know about.
LVL 12

Expert Comment

ID: 38443430

Do you have 2 users with same samaccountname in parent and child domain?

LVL 40

Expert Comment

ID: 38470728
I couldn't find any details on the PasswordLastSet property returned by Get-QADUser. I presume Get-QADUser converts the value in the pwdLastSet attribute in to a date. If so, the pwdLastSet attribute is not replicated/stored in the global catalog by default and this search cannot be performed across an entire forest.

Pwd-Last-Set attribute

Author Comment

ID: 38474093
In the end, we found there was a replication issue between child domain and parent.  The child domain had a corrupt AD database that needed to be defragged offline using these directions.


Now when running:
Get-QADUser username -SearchRoot "DC=mydomain,DC=com" -UseGlobalCatalog
and running:
GetQADUser username -Service "childdc.mydomain.com"
they both return the same PasswordLastSet.  It is just the command using the GlobalCatalog is a LOT faster.

I give v-2nas the points as repadmin /syncall didn't answer my question, it did put me on the right track.  thanks.

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlleā€¦
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question