Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Query question

0 views
Skip to first unread message

Bill

unread,
Sep 7, 2007, 11:26:01 AM9/7/07
to
What is the easiest way to query Active Directory for members of a particular
group who have either never logged on to the domain or have not logged on in
x number of days? I don't see how to do this via dsget or dsquery and I'm
not sure how to create a custom query to accomplish this.

Mathieu CHATEAU

unread,
Sep 7, 2007, 12:02:33 PM9/7/07
to
Hello,
you can't check group directly, you need to check each user account instead.
If you have many DC, you would have to check on each DC. This is the
lastlogon attribute

If your domain is 2003 (functionnal mode), then there is also the
lastLogonTimestamp attribute, which is replicated between DC every 14 days.

You may use this addon:
http://www.microsoft.com/downloads/details.aspx?FamilyID=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en

copy and register the acctinfo.dll. You will have a new tab on user
properties on ADUC (dsa.msc) which indicates the lastlogon.

You may also use a former quest tool, QDD which was freeware.

Or use the joe great oldcmp:
http://www.joeware.net/freetools/tools/oldcmp/index.htm


--
Cordialement,
Mathieu CHATEAU
http://lordoftheping.blogspot.com


"Bill" <Bi...@discussions.microsoft.com> wrote in message
news:E4D09EB7-966E-4EEC...@microsoft.com...

Bill

unread,
Sep 7, 2007, 4:14:02 PM9/7/07
to
Is -Inactive [number of weeks inactive] in DSQuery the same as lastlogondate?

Richard Mueller [MVP]

unread,
Sep 7, 2007, 10:26:03 PM9/7/07
to
The dsquery -inactive option uses the lastLogonTimeStamp attribute, which is
only available if your domain is at Windows 2003 functional level. Joe
Richards's oldcmp tool is the best choice.

To query for all users that are members of a particular group the filter
would be:

(memberOf=cn=MyGroup,ou=West,dc=MyDomain,dc=com)

You must specify the full Distinguished Name of the group. You could use
this in ADUC (View, Filter Options, Create custom filter, Customize,
Advanced, and enter the filter), or in a VBScript program using ADO. The
filter can also be used with Joe Richards' adfind utility. Or your can
retrieve all direct members of a group with:

dsget group "cn=MyGroup,ou=West,dc=MyDomain,dc=com" -expand -members

You might be able to combine these (dsget and dsquery) to get what you want
(assuming your domain is at W2k3 functional level), but I haven't figured
out how.

--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--

"Bill" <Bi...@discussions.microsoft.com> wrote in message

news:DA4EC16C-09A4-4784...@microsoft.com...

0 new messages