Here is an article to summarize how to do to check inacive or stale accounts in AD 2008/R2:

first read this interesting article: http://blogs.technet.com/b/askds/archive/2009/04/15/the-lastlogontimestamp-attribute-what-it-was-designed-for-and-how-it-works.aspx

this article explain, that since 2003, do not use the lastlogon but use lastlogontimestamp instead. In short:

“The lastLogonTimeStamp attribute indicates the time that a user last logged on to the domain. This attribute is replicated to all domain controllers…. The lastLogontimeStamp attribute is not updated with all logon types or at every logon. The good news is that the logon types that admins usually care about will update the attribute and often enough to accomplish its task of identifying inactive accounts. Interactive, Network, and Service logons will update the lastLogontimeStamp. So if a user logs on interactively, browses a network share, access the email server, runs an LDAP query etc… the lastLogontimeStamp attribute will updated if the right condition is met “

Note: ADFS logons are not compatible with LogonTimeStamp for people accessing only via Internet. Collect the Event ID 4624 on Security Event Log of each ADFS internal servers.

How to improve lastlogontimeStamp values?

modify the forest value: msDS-LogonTimeSyncInterval

ref article: http://blogs.metcorpconsulting.com/tech/?p=283

Changing the ms-DS-Logon-Time-Sync-Interval value is actually quite simple.

  1. Open ADSI Edit
  2. Right-Click on the domain DN (DC=domain,DC=com) under Default naming context and select Properties.
  3. Under Attribute Editor, scroll down to the msDS-LogonTimeSyncInterval attribute and Click Edit.
  4. Enter a value from 1 to 100,000 (280 years, max set in AD code) and Click OK.
  5. Click OK

How to get lastlogontimeStamp values?

– using repadmin or using Quest cmdlets for AD

here are some examples:

With repadmin first:

– repadmin /showattr * dc=mydom,dc=domain,dc=com /subtree /filter:”(&(objectCategory=Person)(objectClass=user))” /attrs:lastLogontimeStamp >.\logs\full-allusers-lastLogontimeStamp.txt

With Quest cmdlets:

– Get-QADUser -SearchRoot ‘mydom.domain.com’ -sizeLimit 0 -enabled -inactivefor 360 | Select samaccountname,displayname,lastlogontimestamp,passwordage

regarding the usage of Get-QADUser, read this very interesting article from D.Sotnikov (my god!):

http://dmitrysotnikov.wordpress.com/2010/07/30/locating-obsolete-users-and-computers/

To verify if the lastLogonTime stamp is being updated and replicated as expected you can use repadmin.exe with the showattr switch. Some examples are given below. These examples are intended to demonstrate that lastLogontimeStamp is being updated within the window of 9-14 days and replicated to all DC’s in the domain. They are not an example of how to manage stale accounts.

1. Using repadmin to check the value of lastLogontimeStamp on all DC’s in a domain for one user:

repadmin /showattr * (DN of the target user) /attrs:lastLogontimeStamp >lastLogontimeStamp.txt

Example:

repadmin /showattr * CN=user1,OU=accounting,DC=domain,dc=com /attrs:lastLogontimeStamp >lastLogontimeStamp.txt

2. Using repadmin to dump the lastLogontimeStamp for all users in a domain including users that have no data in the lastLogontimeStamp attribute:

repadmin /showattr * /subtree /filter:”(&(objectCategory=Person)(objectClass=user))” /attrs:lastLogontimeStamp >lastLogontimeStamp.txt

3. Dump lastLogonTime stamp for users but only ones that have the attribute populated

repadmin /showattr * dc=domain,dc=com /subtree /filter:”((&(lastLogontimeStamp=*)(objectCategory=Person)(objectClass=user)))” /attrs:lastLogontimeStamp > lastLogontimeStamp-2-22-2009.txt

Other web resources talking about lastlogontimestamp:

administering a RODC: http://technet.microsoft.com/en-us/library/dd736126(v=ws.10).aspx