JSI Tip 8080. The Windows Server 2003 Active Directory lastLogonTimeStamp attribute is replicated across all domain controllers.

Since the lastLogonTimeStamp attribute is replicated across all domain controllers in your domain, instead of querying lastLogon on every domain controller, you can use a single query to find all users and computers that have, or have not, logged on within a specified time.

NOTE: To use this functionality, your Windows Server 2003 domain must be at the Windows Server 2003 domain functionality level.

There are certain cases when the lastLogonTimestamp attribute is NOT updated:

NOTE: If the lastLogonTimestamp attribute has never been updated, it has a null value.

NOTE: You can use CvtFileTime.bat to convert a non-null lastLogonTimestamp data value to a date and time.

Example:

Report all users who logged on today before 06:00@echo offsetlocalcall univdateset /a yy=10000%yy%%%10000if %yy% LSS 9 set yy=200%yy%if %yy% LSS 99 set yy=20%yy%set /a mm=100%mm%%%100if %mm% LSS 9 set mm=0%mm%set /a dd=100%dd%%%100if %dd% LSS 9 set dd=0%dd%set today=%mm%/%dd%/%yy%set query=dsquery * domainroot -filter "(&(objectCategory=Person)(objectClass=User))" -attr sAMAccountName lastLogonTimeStamp -L -limit 0For /f "Tokens=*" %%a in ('%query%') do ( set work=%%a call :parse)endlocalgoto :EOF:parsefor /f "Tokens=1*" %%i in ('@echo %work%') do ( set attr=%%i set data=%%j)if {%data%}=={} goto :EOFif "%attr%" EQU "sAMAccountName:" goto usrcall CvtFileTime %data% lltsif not "%today%" EQU "%llts:~0,10%" goto :EOFif not "%llts:~11,5%" LSS "06:00" goto :EOF@echo %user% %llts%goto :EOF:usrset work=%data%                           #set user=%work:~0,25%