You are ascribing more power to me than I possess, Rick :p There is no known way to get Joe's head to be bigger than it currently is. It's sooooooo big it has its own separate zip/area code :-0 Sincerely,
Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon ________________________________ From: [EMAIL PROTECTED] on behalf of Rick Kingslan Sent: Sun 5/29/2005 2:10 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp- <note to Deji> You just made joe's head bigger... </note to Deji> Rick -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, May 27, 2005 8:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp- I'll yield on this and stand corrected. Although I did not exactly remember reading about (or observing) this behavior, current materials I just consulted say that Joe and Diane are correct - as always. <note to self> Got to read more. </note to self> Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon ________________________________ From: [EMAIL PROTECTED] on behalf of joe Sent: Fri 5/27/2005 6:26 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp- Yes, I agree with you, it is incorrect. BDC's weren't entirely read only, non-replicating attributes such as last logon, bad password count, etc were written locally and yes you had to query all DCs to get an accurate accounting of what happened. If this were the architecture of NT4, the PDC would have burned to the ground in any decent sized enterprise. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ayers, Diane Sent: Friday, May 27, 2005 7:18 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp- > In NT4, all updates go up to the PDC. This is why you will get a true > last login report Not that my small wattage can hold a candle to the brain power for the others on the list but isn't this incorrect? IIRC, under NT 4.0 the last logon went to the authenticating DC. That is why you had to query all the DCs in a domain to get an accurate lastlogon value for an account. Updates to an account such as pwd changes, etc went to the DC. Not that it really matter since NT 4.0 is no longer relevant. Diane -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, May 27, 2005 2:26 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp- In NT4, all updates go up to the PDC. This is why you will get a true last login report. Post NT4, most updates take place on any DC, and lastlogon is one such update. Because it is possible that a user can be authenticated by different DC at different time, AND because lastlogon is NOT replicated between DCs, you will get different lastlogon report, depending on which DC you are querying for it. The reason you are getting a consistent report today is likely because you are querying the DC that logged you in today. If you query ANOTHER DC now, you will get a different result IF that DC had not authenticated you today. Lastlogontimestamp was introduced in 2K3 to address this lack of correlation in a multi-DC environment. Lastlogontimestamp is "eventually" replicated and adjusted, so you will get more consistent result if you query multiple DCs for lastlogontimestamp. Before lastlogontimestamp, you will have to query ALL your DCs for lastlogon, then you will have to compare the results they give you and find the most current in order to get a semblance of accurate last logon. HTH Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon ________________________________ From: [EMAIL PROTECTED] on behalf of Medeiros, Jose Sent: Fri 5/27/2005 1:59 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp- Hi Al, Thank you for taking the time to reply, and I very much appreacite your effort on researching this. You know that I recall using USRSTAT on a NT4 Domain and it would show the Domain Controller that actually authenticated the user account, however it does not seem to display this output in an Active Directory Forrest. Go figure.. BTW: My last logon is the correct time and I have logged in several times today. Have a happy Memorial day weekend! Peace! Jose :-) ------------------------------------------------------------ -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Al Mulnick Sent: Friday, May 27, 2005 1:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp- Part of the problem I see with your output below is that it doesn't show which domain controller you last logged on to. While that's not a problem if you have only one DC in your forest, it can be if you have more than that. LastLogon is not replicated. LastLogonTimeStamp is and as such you have to query each possible DC to find out the last logon. To make matters worse, there is a fix out there somewhere that causes ntlm auth to actually update this field (or am I just dreaming it? :) In the end, you'll want more than just the lastlogon to figure out what a user is doing. You may be able to show something close, in which case lastlogontimestamp will show you plenty. I would likely forgo the int8 conversions and opt instead for the IADSUser if you don't need that accuracy. For that matter, I'd likely forgo vbscript if I needed pinpoint accuracy because vbscript won't be as accurate with numbers as something like c# or perl or jscript or... To figure out what users are doing, you'll want to look at the pwdLastSet attribute as well and possibly some other information to get a real feel for the usage patterns before automating some action. If I ever get the time, I still have some code lying around that does that kind of logic and spits out the accounts that way. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Friday, May 27, 2005 4:13 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp- Hi Joe, Quick question, I have always just used the NET USER /DOM (username ) at a command prompt which gives me the following output: ---------------------------- C:\Documents and Settings\jmedeiros>net user /dom jmedeiros The request will be processed at a domain controller for domain Stargate.sg1.net. User name jmedeiros Full Name Medeiros, Jose Comment User's comment Country code 000 (System Default) Account active Yes Account expires Never Password last set 3/16/2005 6:52 PM Password expires 6/14/2005 6:52 PM Password changeable 3/16/2005 6:52 PM Password required Yes User may change password Yes Workstations allowed All Logon script CISCO123.bat User profile Home directory Last logon 5/27/2005 12:57 PM Logon hours allowed All ------- However If I wanted to use this complex VBscript to do the same thing tyhat a simple dos command can do, how would I add a wildcard to this vbscript that show's all the user logons and have it dump the output in a text file? Regards, Jose Medeiros ------------------------------------------------------------------------ - , but if I wanted to use this vbscript to give -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of joe Sent: Friday, May 27, 2005 12:47 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp Split the difference, grab adfind from www.joeware.net in the free windows tools section and see what it decodes the values to. I can't speak to acctinfo dll as I never used it. Vbscript decoding of int8 values is often troublesome, it is possible the code below isn't doing a very accurate decode, I haven't checked it. I can guarantee adfind is doing it well with the possible debate around DST issues and what really should be displayed (should it be a value that was accurate at the time or a value accurate after a DST switch). The most accurately returned values I have seen for vbscript have been out of code Richard Mueller has put together. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Robin Sent: Friday, May 27, 2005 2:31 PM To: 'ActiveDir@mail.activedir.org' Subject: [ActiveDir] lastlogontimestamp Hi. Our domain is at the Windows 2003 server functional level. I have registered acctinfo.dll from the 2003 resource kit and have the Additional Account Info tab in ADUC. I am finding a big discrepancy between the lastlogontimestamp date on the Additional Account Info tab and the actual lastlogontimestamp date. For example, John Doe shoes a lastlogontimestamp of 11/23/04 in ADUC. However, if I execute the following script: Set objUser = GetObject("LDAP://cn=John Doe, ou=MOET (g14), ou=Field Users, ou=LWD Accounts, dc=njdol, dc=ad, dc=dol") Set objLastLogon = objUser.Get("lastLogonTimestamp") intLastLogonTime = objLastLogon.HighPart * (2^32) + objLastLogon.LowPart intLastLogonTime = intLastLogonTime / (60 * 10000000) intLastLogonTime = intLastLogonTime / 1440 Wscript.Echo "Last logon time: " & intLastLogonTime + #1/1/1601# (code was taken from here: http://www.microsoft.com/technet/scriptcenter/topics/win2003/lastlogon.m spx) I get a much more current date (5-25-05). This is happening with more than one user. Any explanation for why this happens. I've done a lot of reading this week and I understand that the lastlogontimestamp field could be off by 7-10 days but this is several months. Thanks, Robin NJDOL List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
