Querying DCs for Last Logon Date and Time

How can I get a list of accountsthat haven’t logged on in the last 30days? We’re concerned that we mightnot have disabled the accounts ofemployees and contractors whoaren’t with our company any longer.

Active Directory (AD) user accounts have a last logon date and time property, and Windows domain controllers (DCs) update the last logon date and time. Windows 2000 Server DCs don’t replicate this property to other DCs, so if you’re running Win2K, whatever means you use to query this field must query each DC and select the most recent date and time. In a domain that has been upgraded to Windows Server 2003 functionality and has Windows 2003 DCs, you can query any DC because Windows 2003 replicates the field.

I recommend the free DumpSectool (available at http://www.systemtools.com) if you need to queryWin2K DCs because the DumpSecusers report includes a last logon column and can determine the mostrecent logon date from all the DCs.When you run the users report,DumpSec displays a dialog box thatlets you select what’s included in thereport. Make sure you select theShow true last logon check box,which tells DumpSec to query everyDC for the most recent logon for eachuser.

The Windows 2003 MicrosoftManagement Console (MMC) ActiveDirectory Users and Computers snap-in provides access to the last logonfield through the native Windowsinterface. Open the snap-in, right-click Saved Queries, and select New,New Query. In the New Query dialogbox, enter a name such as Oldaccounts and click Define Query. Inthe Find dialog box, make sure Common Queries is selected in the Find drop-down list. Then enter 30 in theDays since last logon field and clickOK twice to close the dialog boxes.

Windows will now search thedomain and display a list of all theuser accounts that haven’t logged onin the past 30 days. The only problemwith this method is that Windowsdoesn’t let you filter out disabledaccounts, so you’ll see disabledaccounts in addition to dormantaccounts that you might still need todisable. If this is a problem, I recommend sticking with DumpSec, evenfor Windows 2003.