Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

LDAP query example using lastLogon attribute

11,245 views
Skip to first unread message

Kevin Price

unread,
Jul 26, 2007, 12:16:12 PM7/26/07
to
Hi

I am looking for an example of an LDAP query that lists user accounts based
on the number of days since last logon. The Active Directory Users and
Computers MMC has the ability to do this but it does not show the LDAP query
string. Can anyone help?

Thanks in advance.

Richard Mueller [MVP]

unread,
Jul 26, 2007, 2:50:36 PM7/26/07
to
Kevin Price wrote:

An LDAP query for all users that have not logged on since 4/1/2007 (in my
time zone) would be:

(&(objectCategory=person)(objectClass=user)(lastLogon<=128198772000000000))

The lastLogon attribute is Integer8, a 64-bit number that represents
date/time values (in UTC) as the number of 100-nanosecond intervals since
12:00 AM January 1, 1601. I have an example VBScript program demonstrating
how to convert any date/time value into the corresponding Integer8 value
linked here:

http://www.rlmueller.net/Programs/DateToInteger8.txt

This program converts 4/1/2007 to 128,198,772,000,000,000. I don't know of
any way to combine the date conversion with the query, even if you ignored
the time zone adjustment.

--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--


Karl Mitschke

unread,
Jul 26, 2007, 5:45:59 PM7/26/07
to

"Richard Mueller [MVP]" <rlmuelle...@ameritech.nospam.net> wrote in
message news:%23tfa%23X7zH...@TK2MSFTNGP06.phx.gbl...

Richard;

This has the potential of returning invalid data if you are in a domain with
multiple domain controllers, correct?

The OP should query each DC and compare results, AFAIK

Karl


Richard Mueller [MVP]

unread,
Jul 26, 2007, 8:13:36 PM7/26/07
to

"Karl Mitschke" <kmit...@microsoft.com> wrote in message
news:O2wdc58z...@TK2MSFTNGP04.phx.gbl...
I'm sorry, you are correct. You would get a value accurate to within 14 days
(by default) if your domain is at Windows 2003 functional level and you
substitute lastLogonTimeStamp for lastlogon in the query. Otherwise, you
must query every DC in the domain (unless you have just one). An example
script to retrieve the last logon date/time for all users is linked here:

http://www.rlmueller.net/Last%20Logon.htm

Kevin Price

unread,
Jul 27, 2007, 4:28:00 AM7/27/07
to
Richard / Karl

Thanks for the information. We have many DCs spread across a wide area
network and our domains are at Win2K3 functional level so I'll try using the
lastLogonTimeStamp attribute. I actually want a list of user accounts that
have not been used for n days (eg 30+) so the 14 day inaccuracy is ok.

Thanks again.

Karl Mitschke

unread,
Jul 27, 2007, 10:18:41 AM7/27/07
to
"Kevin Price" <Kevin...@discussions.microsoft.com> wrote in message
news:D8A3B93E-4CFC-4B9F...@microsoft.com...

> Richard / Karl
>
> Thanks for the information. We have many DCs spread across a wide area
> network and our domains are at Win2K3 functional level so I'll try using
> the
> lastLogonTimeStamp attribute. I actually want a list of user accounts
> that
> have not been used for n days (eg 30+) so the 14 day inaccuracy is ok.
>
> Thanks again.

Kevin;

I'd rethink that - suppose user X shows that he hasn't logged in for 200
days on DC1, but 3 days ago he validated off DC2.

DC1 will not get the information that X has logged in for 11 more days, and
thus you are still looking at wildly invalid data, as I understand it.

I'd run Richard's script, LastLogon.vbs, that he provides here:
http://www.rlmueller.net/Last%20Logon.htm

Karl


Karl Mitschke

unread,
Jul 27, 2007, 10:19:54 AM7/27/07
to
"Richard Mueller [MVP]" <rlmuelle...@ameritech.nospam.net> wrote in
message news:eBbaeM%23zHH...@TK2MSFTNGP04.phx.gbl...

Richard;

Thanks for validating that for me - I had the horrible thought that I was
querying all my BDC's for no good reason.

Karl


Richard Mueller [MVP]

unread,
Jul 27, 2007, 12:32:55 PM7/27/07
to

"Karl Mitschke" <kmit...@microsoft.com> wrote in message
news:eSA8KkF0...@TK2MSFTNGP03.phx.gbl...

The lastLogon attribute is updated every time the user logons on, but only
on the DC that authenticates the user. The attribute is not replicated so
there is a different value for the user on every DC. The replication traffic
would be greatly increased if this got replicated at every logon.

The lastLogonTimeStamp attribute is only updated if the previous value is at
least 14 days in the past (this interval can be adjusted). However, it is
replicated to all DC's. Microsoft made this trade off, a bit more
replication traffic, a value only accurate to within 14 days, but hopefully
a useful attribute. The advantage is that you only need to query one DC
(whichever DC responds to your query). The same value is saved on all DC's.
If the value of lastLogonTimeStamp corresponds to 84 days in the past, you
know the user has not logged in for at least 70 days, maybe as many as 84.
The value is still Integer8, so the 64-bit number must be converted to a
date.

Kevin Price

unread,
Jul 27, 2007, 12:48:02 PM7/27/07
to
Richard / Karl

Great support, thanks for your input. This has confirmed my understanding
in that if I want to know who hasn't logged on for at least thirty days then
I need to query for last logons of 44 days or more, this is perfectly
acceptable for my needs and clarifies how multiple DCs synchronise.

Thanks guys have a great weekend.

Karl Mitschke

unread,
Jul 27, 2007, 12:57:57 PM7/27/07
to
"Richard Mueller [MVP]" <rlmuelle...@ameritech.nospam.net> wrote in
message news:uMX9LvG0...@TK2MSFTNGP05.phx.gbl...

OK, Thanks for the clarification.

Karl


0 new messages