|
Question : AD active user count
|
|
is there anyway to query AD for a user count of some kind that would tell me which users have logged in in say the past 30 days? I know in 2003 you can do this easily but in 2000 you can't.
Also, what about the same thing for computer accounts. I think computer accounts are supposed to be scavanged/removed after 60 days of not authenticating, but i dont think that is happening.
I just took over a domain that has alot of old user/computer accounts in it and i need to know which ones are in use and which ones aren't.
Thanks in advance.
|
|
Answer : AD active user count
|
|
Yo're correct here. Windows 2003 has improved with search facility. You can search objects using date filter. Moreover, Windows 2000 has an attribute for user accounts called *LastLogon*. You can use this attribute in a script to know the last logon time stamp of a user account. Unfortunately, this attribute is not replicated among all domain controllers. Windows 2003 contains *LastLogonTimeStamp* attribute for users which is replicated to all domain controllers available in a domain.
Well, first make sure *TombStoneLifeTime* attribute is working properly. This is by default 60 days. You can change it using ADSI snap-in. LDAP path is:
CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,estRootDN>
Garbage collection process runs on every domain controller after interval of 12 hours. This process is responsible for everything: cleaning the tombstoned objects, clears log files and finally defrag NTDS.dit file.
This way - if value of this attribute in a domain controller is not set or doesn't exist then it won't run. The process attribute name is *garbageCollPeriod* in enterprise-wide DS configuration object. You can used ADSI snap-in to edit schema to change the period or create it if is not set in the following container:
CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=COMPANY,DC=COM
I will try to post a script with *LastLogon* for Windows 2000.
|
|
|
|