Get-QADUser PasswordLastSet child domain vs global catalog mismatch
I was using some powershell code I found online to remind OWA users (that don't get reminder from windows when they log in) that their pwd was going to expire. I found this code to allow one script to serve for both parent and child domain accounts. But the value for PasswordLastSet doesn't match between the info at the child domain controller and the GC...
When I run Get-QADUser username -SearchRoot "DC=mydomain,DC=com" -UserGlobalCatalog | select SamAccountName, PasswordLastSet,Domain
I get
SamAccountName PasswordLastSet Domain
username 9/29/2011 ... CHILD
When I run GetQADUser username -Service "childdc.mydomain.com" | select SamAccountName, PasswordLastSet,Domain
I get the correct Pwd last set value
SamAccountName PasswordLastSet Domain
username 9/17/2012 ... CHILD
What is wrong w/ my AD if the global catalog doesn't appear to be receiving the updated information? How to fix so GC has the up to date info?
When I run Get-QADUser username -SearchRoot "DC=mydomain,DC=com" -UserGlobalCatalog | select SamAccountName, PasswordLastSet,Domain
I get
SamAccountName PasswordLastSet Domain
username 9/29/2011 ... CHILD
When I run GetQADUser username -Service "childdc.mydomain.com" | select SamAccountName, PasswordLastSet,Domain
I get the correct Pwd last set value
SamAccountName PasswordLastSet Domain
username 9/17/2012 ... CHILD
What is wrong w/ my AD if the global catalog doesn't appear to be receiving the updated information? How to fix so GC has the up to date info?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Hi,
Do you have 2 users with same samaccountname in parent and child domain?
regards,
Navdeep
Do you have 2 users with same samaccountname in parent and child domain?
regards,
Navdeep
I couldn't find any details on the PasswordLastSet property returned by Get-QADUser. I presume Get-QADUser converts the value in the pwdLastSet attribute in to a date. If so, the pwdLastSet attribute is not replicated/stored in the global catalog by default and this search cannot be performed across an entire forest.
Pwd-Last-Set attribute
http://technet.microsoft.com/en-us/subscriptions/ms679430%28v=vs.85%29.aspx
Pwd-Last-Set attribute
http://technet.microsoft.com/en-us/subscriptions/ms679430%28v=vs.85%29.aspx
ASKER
In the end, we found there was a replication issue between child domain and parent. The child domain had a corrupt AD database that needed to be defragged offline using these directions.
http://technet.microsoft.com/en-us/library/cc794920(v=ws.10).aspx
Now when running:
Get-QADUser username -SearchRoot "DC=mydomain,DC=com" -UseGlobalCatalog
and running:
GetQADUser username -Service "childdc.mydomain.com"
they both return the same PasswordLastSet. It is just the command using the GlobalCatalog is a LOT faster.
I give v-2nas the points as repadmin /syncall didn't answer my question, it did put me on the right track. thanks.
http://technet.microsoft.com/en-us/library/cc794920(v=ws.10).aspx
Now when running:
Get-QADUser username -SearchRoot "DC=mydomain,DC=com" -UseGlobalCatalog
and running:
GetQADUser username -Service "childdc.mydomain.com"
they both return the same PasswordLastSet. It is just the command using the GlobalCatalog is a LOT faster.
I give v-2nas the points as repadmin /syncall didn't answer my question, it did put me on the right track. thanks.
ASKER
C:\Users\Administrator.myd
CALLBACK MESSAGE: The following replication is in progress:
From: d56c4641-30c6-4667-95bc-cd
To : 7e1e3ffa-71a9-4dee-847f-d6
CALLBACK MESSAGE: The following replication completed successfully:
From: d56c4641-30c6-4667-95bc-cd
To : 7e1e3ffa-71a9-4dee-847f-d6
CALLBACK MESSAGE: SyncAll Finished.
SyncAll terminated with no errors.
But that is sync'ing betwen GC's in the parent only. No mention of syncing w/ the child DC. We don't seem to have any problems that we know about other than this field PasswordLastSet. Perhaps we have issues we don't know about.