If you happen to know why Microsoft renamed it in PowerShell please comment below. Why I have no idea but it’s the same value. Now let’s look at this value with PowerShell.įor some reason, Microsoft renamed this value to LastLogonDate in PowerShell. You could technically use the lastLogon to find an inactive account but it’s much more difficult. Microsoft understood this and that is why they introduced the lastLogonTimestamp attribute way back in 2003. This is important because with the lastLogon attribute you would have to query every domain controller to find out when a user logged on. The lastLogon value is not replicated to all domain controllers where the lastLogonTimestamp is. You can see in the above screenshot there is also a lastLogon value, you will also see this when using PowerShell. Open an account, click on the Attribute Editor tab and go down to the lastLogonTimestamp attribute. Let’s look at this attribute in ADUC GUI. Interactive logon is what he cares about, this is when someone logs on at a console. There are certain logon types that will update the lastLogonTimeStamp attribute they are, Interactive, Network, and Service logons. Yes, it can be used for computer accounts also. User accounts have an attribute called “lastLogonTimeStamp” the purpose of this attribute is to help identify inactive user and computer accounts. If you are not interested in this then skip to the examples. This part is a little long but it explains what user attribute is used to find inactive user accounts. How are Inactive User Accounts Identified? Example 2: Find Inactive User Accounts with the AD Cleanup Tool (Plus find disabled, expired, and no logon history).Example 1: Find Inactive User Accounts with PowerShell.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |