Eh, I was mixing up last logon timestamp with "last communicated with AD" which of course as you said, is different.
RTFM? That's just crazy! Dave From: Free, Bob [mailto:r...@pge.com] Sent: Wednesday, April 15, 2009 12:58 PM To: NT System Admin Issues Subject: RE: When did a PC last communicate with AD? It's the actual lastLogonTimestamp attribute value with the date/time math done for you. pwage and llts age are values oldcmp computes for you, the other fields you show below are the actual attributes themselves. If you are in DFL2 lastLogonTimeStamp is a replicated attribute and can be used by oldcmp... Just use the -llts switch. If you aren't in the right mode, it will tell you and won't use it. IIRC the assumption was that llts would be fresher than pwdlastset (oldcmp default) but the tool was written to the lowest common denominator and uses pwdlastset to calculate age of the account by default. C:\Admin\Util>oldcmp /? OldCmp V01.05.00cpp Joe Richards (j...@joeware.net) December 2004 Usage: OldCmp [switches] <snip> -llts If K3 domain in Domain Functional mode uses lastLogonTimeStamp instead of pwdLastSet for age options. </snip> Read the help there is some cool stuff in there <wink> From: David Lum [mailto:david....@nwea.org] Sent: Wednesday, April 15, 2009 11:46 AM To: NT System Admin Issues Subject: RE: When did a PC last communicate with AD? What is the "lastLogonTimestamp" field that you get when using OLDCMP.EXE? pwdLastSet pwage whenCreated accountExpires lastLogonTimestamp lltsAge David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 From: Free, Bob [mailto:r...@pge.com] Sent: Wednesday, April 15, 2009 11:12 AM To: NT System Admin Issues Subject: RE: When did a PC last communicate with AD? There is no specific attribute of a computer acct that tells you the last time "it communicated with AD" in the directory. Modified just tells you what it implies, *something* was modified, not *what*. It is not replicated so it is only an indication of a change to the object *on the DC you are looking at*, it will be different on other DC's. You don't have any idea what was changed, it could be anything, even something modified by the system. Depending on the AD version you are running and functional level, people usually look at some combination of lastlogon, lastlogontimestamp and pwdlastset attributes to determine comp acct "activity". (If you are in DFL2 lastLogonTimeStamp is replicated) Natively you can get them with dsquery,cvsde, ldife, adsiedit, scripting tool of choice, etc. Personally I would use oldcmp for a report or adfind (joeware.net tools) for a quick one-off check for a *stale* comp acct. It is definitely possible to get a rough idea with native tools although it is more work. What are you trying to accomplish and why the native tool requirement? From: cs [mailto:chr...@gmail.com] Sent: Wednesday, April 15, 2009 7:42 AM To: NT System Admin Issues Subject: When did a PC last communicate with AD? Is there a way to tell when a PC last communicated with AD using native tools? I was always under the impression the modified field on the Properties tab could be used to determine this information??? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
