Since the lastLogonTimeStamp attribute is replicated across all domain controllers in your domain, instead of querying lastLogon on every domain controller, you can use a single query to find all users and computers that have, or have not, logged on within a specified time.
NOTE: To use this functionality, your Windows Server 2003 domain must be at the Windows Server 2003 domain functionality level.
There are certain cases when the lastLogonTimestamp attribute is NOT updated:
- Certificate mapping through IIS.
- Username and password authentication through IIS.
- .NET Passport mapping through IIS.
- All Service-for-User (S4U) authentication paths.
NOTE: If the lastLogonTimestamp attribute has never been updated, it has a null value.
NOTE: You can use CvtFileTime.bat to convert a non-null lastLogonTimestamp data value to a date and time.
Example:
Report all users who logged on today before 06:00 @echo off setlocal call univdate set /a yy=10000%yy%%%10000 if %yy% LSS 9 set yy=200%yy% if %yy% LSS 99 set yy=20%yy% set /a mm=100%mm%%%100 if %mm% LSS 9 set mm=0%mm% set /a dd=100%dd%%%100 if %dd% LSS 9 set dd=0%dd% set today=%mm%/%dd%/%yy% set query=dsquery * domainroot -filter "(&(objectCategory=Person)(objectClass=User))" -attr sAMAccountName lastLogonTimeStamp -L -limit 0 For /f "Tokens=*" %%a in ('%query%') do ( set work=%%a call :parse ) endlocal goto :EOF :parse for /f "Tokens=1*" %%i in ('@echo %work%') do ( set attr=%%i set data=%%j ) if \{%data%\}==\{\} goto :EOF if "%attr%" EQU "sAMAccountName:" goto usr call CvtFileTime %data% llts if not "%today%" EQU "%llts:~0,10%" goto :EOF if not "%llts:~11,5%" LSS "06:00" goto :EOF @echo %user% %llts% goto :EOF :usr set work=%data% # set user=%work:~0,25%
0 comments
Hide comments