Monday, September 24, 2007

Making the Last Logon attribute more useful

One of my favorite little tools for Active Directory management is the Additional Account Information (AcctInfo.DLL) that extends the Active Directory Users and Computers interface and allows you to see some useful information such as the last date the password was set, when the password expires, the user's SID, and the last logon date.

However, the Last Logon date (the lastLogonTimestamp attribute) is only found in Windows 2003 "prepped" domains and only replicates if the domain is at Windows 2003 functional level. Further, this attribute only replicates approximately once every 14 days. This was done to reduce replication traffic, but it makes the Last Logon date much less useful.

You can adjust the interval at which the Last Logon timestamp actually replicates, though. Using ADSIEdit, display the properties of your domain and locate the msDS-LogonTimeSyncInterval attribute. Set this value to 1 or 2 (for one or two days). The Last Logon time stamp will then be a bit more up-to-date.


Post a Comment

<< Home