Lastlogon and ACCTINFO.DLL in Windows Server 2008R2?

can me?

i have tech-refreshed our server systems , moved windows server 2003 (32bit) environment 64bit mixed windows server 2003 , 2008r2 environment. have 2 domain controllers both of 2008r2 based. there plans upgrade full 2008r2 system in april. users log on through website interface , using mixture of client operating systems.

on previous system regularly made use of lastlogon data field populated through acctinfo.dll (as part of 2003 resource kit) remove inactive users system.

since setting new system lastlogon field has become rather inconsistent.

some user accounts show field data populated correctly , updated on regular basis. other user accounts have never had data populated (although know have logged on , used system). of these accounts existing @ time of refresh, others have been created on new system.

i aware lastlogon available windows 2003 , windows 2008 (+r2) features lastinteractivelogon dataset.

does replace lastlogon field or as?

other questions pondering on matter hope able answer include:

do need install acctinfo.dll not exist on dc's (c:\windows\system32)?

do need query lastinteractivelogon instead of lastlogon?

are there other settings need activate within os use dataset?

this script trying use pull out inactive accounts...

'visual basic
'===========================================================================
' checks accounts determine needs disabled.
' if lastlogontimestamp null , object older specified date, disabled , moved.
' if account has been used, not within duration specified, disabled , moved.
' if account disabled left is.
' created 23/7/09 grant brunton
'===========================================================================

'===========================================================================
' begin user variables
'===========================================================================

' flag enable disabling , moving of unused accounts
' 1 - disable , move accounts
' 0 - create ouput log only
bdisable=1

' number of days before account deemed inactive
' accounts haven't been logged in amount of days selected
ilogondays=60

' ldap location of ous search accounts
' ldap location format eg: "ou=users,ou=test"
strsearchou="ou=users,ou=live"

' search depth find users
' use "onelevel" specified ou or "subtree" search child ous well.
strsearchdepth="onelevel"

' location of new ou move disabled user accounts to
' eg: "ou=disabled users,ou=test"
strnewou="ou=disabled user,ou=users,ou=live"

' log file path (include trailing \ )
' use either full directory path or relational script directory
strlogpath=".\logs\"

' error log file name prefix (tab delimited text file. name appended date , .err extension)
strerrorlog="disabledaccounts_"

' output log file name prefix (tab delimited text file. name appended date , .log extension)
stroutputlog="disabledaccounts_"

'===========================================================================
' end user variables
'===========================================================================

'===========================================================================
' main code begins
'===========================================================================
sdate = year(now()) & right("0" & month(now()), 2) & right("0" & day(now()), 2)
set ofso=createobject("scripting.filesystemobject")
if not ofso.folderexists(strlogpath) createfolder(strlogpath)
set output=ofso.createtextfile(strlogpath & stroutputlog & sdate & ".log")
set errlog=ofso.createtextfile(strlogpath & strerrorlog & sdate & ".err")
output.writeline "sam account name" &vbtab& "ldap path" &vbtab& "last logon date" &vbtab& "date created" &vbtab& "home directory"
errlog.writeline "sam account name" &vbtab& "ldap path" &vbtab& "problem" &vbtab& "error"

set rootdse = getobject("ldap://rootdse")
set objconnection = createobject("adodb.connection")
objconnection.open "provider=adsdsoobject;"
set objcommand = createobject("adodb.command")
objcommand.activeconnection = objconnection
objcommand.properties("page size") = 10
dseroot=rootdse.get("defaultnamingcontext")

set objnewou = getobject("ldap://" & strnewou & "," & dseroot)
objcommand.commandtext = "<ldap://" & strsearchou & "," & dseroot & ">;(&(objectclass=user)(objectcategory=person));adspath;" & strsearchdepth

set objrecordset = objcommand.execute

on error resume next

while not objrecordset.eof
lastlogon = null
intlogontime = null

set objuser=getobject(objrecordset.fields("adspath"))

if datediff("d",objuser.whencreated,now) > ilogondays then
set objlogon=objuser.get("lastlogontimestamp")
if err.number <> 0 then
writeerror objuser, "get lastlogon failed"
disableaccount objuser, "never"
else
intlogontime = objlogon.highpart * (2^32) + objlogon.lowpart
intlogontime = intlogontime / (60 * 10000000)
intlogontime = intlogontime / 1440
lastlogon=intlogontime+#1/1/1601#

if datediff("d",lastlogon,now) > ilogondays then
disableaccount objuser, lastlogon
end if
end if
end if
writeerror objuser, "unknown error"
objrecordset.movenext
wend
'===========================================================================
' main code ends
'===========================================================================

'===========================================================================
' subroutines
'===========================================================================
sub createfolder( strpath )
if not ofso.folderexists( ofso.getparentfoldername(strpath) ) call createfolder( ofso.getparentfoldername(strpath) )
ofso.createfolder( strpath )
end sub

sub disableaccount( objuser, lastlogon )
on error resume next
if bdisable <> 0 then
if objuser.accountdisabled=false then
objuser.accountdisabled=true
objuser.setinfo
writeerror objuser, "disable account failed"
objnewou.movehere objuser.adspath, "cn="&objuser.cn
writeerror objuser, "account move failed"
else
err.raise 1,,"account disabled. user not moved."
writeerror objuser, "disable account failed"
end if
end if
output.writeline objuser.samaccountname &vbtab& objuser.adspath &vbtab& lastlogon &vbtab& objuser.whencreated &vbtab& objuser.homedirectory
end sub

sub writeerror( objuser, strproblem )
if err.number <> 0 then
errlog.writeline objuser.samaccountname &vbtab& objuser.adspath &vbtab& strproblem &vbtab& replace(err.description,vbcrlf,"")
err.clear
end if
end sub

'===========================================================================
' end subroutines
'===========================================================================

the script appears work (mostly) creates 2 expected text files , populates these information requested. problem users appear in error log showing lastlogon data unavailable cannot found in cache.

can me fix script or point me in direction of correct datasets using?

all gratefully received!

many thanks

pablo

hello,

did youu built new domain older dc removed?

"when setting first dc on our new domain added first our previous network replicated user accounts/groups/permissions on , used pdce on build new system up."

have seen article option to have a replace old acctinfo.dll http://blogs.technet.com/b/askds/archive/2011/04/12/you-probably-don-t-need-acctinfo2-dll.aspx

best regards

meinolf weber
mvp, mcp, mcts
microsoft mvp - directory services
my blog: http://msmvps.com/blogs/mweber/

disclaimer: posting provided "as is" no warranties or guarantees , , confers no rights.

Windows Server > Windows Server General Forum

Search This Blog

Combine

Lastlogon and ACCTINFO.DLL in Windows Server 2008R2?

Comments

Post a Comment

Popular posts from this blog

2008 Windows Deployment Server Properties Error

Can no longer user MS Update - Files required to use Microsoft Update are no longer registered

How do a find data in one file, search for it in another file and if not found, write a custom message to another file