Oh yeah? Bicycle and car, eh?
I see it more as driving to the grocery store down the street for a gallon of milk in your SUV while the trusty VM is in the garage.
1-2 admin at a thousand US greenbacks a pop? And all you are looking for is last logon? Thanks, but no thanks.
Sincerely,
_____
(, / | /) /) /)
/---| (/_ ______ ___// _ // _
) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)
(/
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
From: Michael Miller
Sent: Wed 8/16/2006 7:55 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Find last logon for ID
It strikes me that y'all are trying to cobble together a bicycle. Why not use a car? AD Toolkit from Javelina Software has last logon as one of many pre-configured reports. You run it against and OU or entire domain and it returns last logon info as well as which DC handled it. Saving a report as a CSV file is also a standard option. I sometime use it for machine account last logon info to find those which may have left with Elvis. See http://www.javelinasoftware.com/advantage.html Michael J. Miller Computing Services College of Veterinary Medicine, UIUC _________________________________________________________________ joe wrote: > You may want to test this in your environment, but from an efficiency > standpoint, with this query you may want to trim it all the way down > to sAMAccountName=username > > This is an odd one because objectcategory and samaccountname are both > indexed so the QP has to decide which index to use based on some > internal logic. From what I have experienced it usually chooses > objectcategory probably because it will have fewer values than > samaccountname. However in this case samaccountname is "guaranteed" to > be unique so it can go directly to the object in question. Whereas > with objectcategory it will have to visit all of the person objects. > Another alternative would be to try and stick the sAMAccountName > portion of the query at the very beginning of the query which seems to > push that index into being used from what I have seen. I don't agree > that reversing the filter like that should cause this to happen but it > seems to which is why if I have multiple indexed attributes in an AND > query I try to stick with putting the most specific one at the front. > Why it all works this way I have some ideas but honestly, the QP > specifics are something that should come from someone with more > intimate knowledge of the QP code like ~Eric or someone else who has > spent 14 hour days in that specific section of the code. It would make > great blog entries I think... I would also buy the book but I think > that would be an extremely limited audience and probably not worth > writing as a whole official book. :) > > You can experiment with this, assuming you are basically an Admin on > your DCs with the -stats+only switch in ADFIND like so: > > adfind -b some_base_dn -f "somefilter" -dn -stats+only > > *Initial Query* > Elapsed Time: 0 (ms) > Returned 1 entries of 16 visited - (6.25%) > > Used Filter: > ( & (objectClass=user) > (objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=test,DC=loc) > (sAMAccountName=$joe) ) > > Used Indices: > idx_objectCategory:16:N > > *Query Reversed* > Elapsed Time: 0 (ms) > Returned 1 entries of 1 visited - (100.00%) > > Used Filter: > ( & (sAMAccountName=$joe) (objectClass=user) > (objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=test,DC=loc) ) > > Used Indices: > idx_sAMAccountName:1:N > > *Query chopped* > Elapsed Time: 0 (ms) > Returned 1 entries of 1 visited - (100.00%) > > Used Filter: > (sAMAccountName=$joe) > > Used Indices: > idx_sAMAccountName:1:N > > > > > > -- > O'Reilly Active Directory Third Edition - > http://www.joeware.net/win/ad3e.htm > > > > ------------------------------------------------------------------------ > *From:* [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] *On Behalf Of *Chong Ai Chung > *Sent:* Wednesday, August 16, 2006 3:34 AM > *To:* ActiveDir@mail.activedir.org > *Subject:* Re: [ActiveDir] Find last logon for ID > > You can get this information using adfind: > > adfind -b dc=domaname,dc=com -f > "(&(Objectclass=user)(Objectcategory=person)(samaccountname=username))" lastlogontimestamp > -tdc > > If you are looking for script, you can refer to following Script > Center article: > > http://www.microsoft.com/technet/scriptcenter/topics/win2003/lastlogon.mspx > > Regards, > > Ai chung > > On 8/16/06, *Tashildar, Dinesh (Cognizant)* > <[EMAIL PROTECTED] > <mailto:[EMAIL PROTECTED]>> wrote: > > > > Does anyone know script to get last logon stamp for active > directory user? > > This e-mail and any files transmitted with it are for the sole use > of the intended recipient(s) and may contain confidential and > privileged information. > If you are not the intended recipient, please contact the sender > by reply e-mail and destroy all copies of the original message. > Any unauthorised review, use, disclosure, dissemination, > forwarding, printing or copying of this email or any action taken > in reliance on this e-mail is strictly > prohibited and may be unlawful. > > Visit us at http://www.cognizant.com <http://www.cognizant.com/> > > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx