Comments on: Replication of lastLogonTimeStamp http://blog.joeware.net/2007/05/01/864/ Information about joeware mixed with wild and crazy opinions... Wed, 17 Mar 2010 15:23:36 +0000 http://wordpress.org/?v=2.9.2 hourly 1 By: Yogesh http://blog.joeware.net/2007/05/01/864/comment-page-1/#comment-50707 Yogesh Wed, 10 Sep 2008 14:00:08 +0000 http://blog.joeware.net/2007/05/01/864/#comment-50707 Hi Joe, We have to run a report every month for all domain users with their 2 attributes that are : LastLogon and lastlogontimestamp. But this time I have noticed that all lastlogontimestamp is not same on all DCs . Moreover users I have checked are those which have not logged in for past 3 months. Also difference in lastlogontimestamp is more tham 2 months in some cases which ideally shd not be more than 14 days (as per microsoft). Kindly look into the above issue and help resolving this. Note: except above issue rest is seems to be fine as far as replication is concerned. Specailly I checked schema partition replication among DC and it is fine. Yogesh Malhotra Hi Joe,

We have to run a report every month for all domain users with their 2 attributes that are : LastLogon and lastlogontimestamp.

But this time I have noticed that all lastlogontimestamp is not same on all DCs . Moreover users I have checked are those which have not logged in for past 3 months.

Also difference in lastlogontimestamp is more tham 2 months in some cases which ideally shd not be more than 14 days (as per microsoft).

Kindly look into the above issue and help resolving this.

Note: except above issue rest is seems to be fine as far as replication is concerned. Specailly I checked schema partition replication among DC and it is fine.

Yogesh Malhotra

]]> By: joe http://blog.joeware.net/2007/05/01/864/comment-page-1/#comment-24567 joe Tue, 11 Sep 2007 15:38:34 +0000 http://blog.joeware.net/2007/05/01/864/#comment-24567 Lifecycle management is a process problem, not technical. You need to come up with a process to mark every object in the directory that is created on behalf of some app/person/whatever and have a way to revalidate the need on some frequency (monthly, quarterly, yearly, bi-annually, whatever) and then enforce it. Some companies do this by adding new attributes to the top class and then populating them on all managed lifecycle objects and coming up with the background processes to keep everything current and if something goes out of currency, it gets smoked. It is a problem I would love to work on but no time to really dedicate to it. It can definitely be helped by technical solutions but it is at its core a process problem. There are no magic bullets. Lifecycle management is a process problem, not technical.

You need to come up with a process to mark every object in the directory that is created on behalf of some app/person/whatever and have a way to revalidate the need on some frequency (monthly, quarterly, yearly, bi-annually, whatever) and then enforce it.

Some companies do this by adding new attributes to the top class and then populating them on all managed lifecycle objects and coming up with the background processes to keep everything current and if something goes out of currency, it gets smoked.

It is a problem I would love to work on but no time to really dedicate to it. It can definitely be helped by technical solutions but it is at its core a process problem.

There are no magic bullets.

]]> By: John Ebuna http://blog.joeware.net/2007/05/01/864/comment-page-1/#comment-24566 John Ebuna Tue, 11 Sep 2007 15:33:35 +0000 http://blog.joeware.net/2007/05/01/864/#comment-24566 Thanks for the fast reply. So do you have any suggestions on how to truly determine if a user account is being used within an AD environment? Or is that just a pipe dream? Thanks for the fast reply. So do you have any suggestions on how to truly determine if a user account is being used within an AD environment? Or is that just a pipe dream?

]]> By: joe http://blog.joeware.net/2007/05/01/864/comment-page-1/#comment-24564 joe Tue, 11 Sep 2007 13:33:16 +0000 http://blog.joeware.net/2007/05/01/864/#comment-24564 No way that I know of. This is a common problem, occurs with many VPN clients as well as cluster accounts and any machines that people have just turned off password changes on. Password changes are not required for computers like they are for users, it is entirely up to the machine if it wants to change the password or not. No way that I know of. This is a common problem, occurs with many VPN clients as well as cluster accounts and any machines that people have just turned off password changes on. Password changes are not required for computers like they are for users, it is entirely up to the machine if it wants to change the password or not.

]]> By: John Ebuna http://blog.joeware.net/2007/05/01/864/comment-page-1/#comment-24563 John Ebuna Tue, 11 Sep 2007 13:10:08 +0000 http://blog.joeware.net/2007/05/01/864/#comment-24563 I've seen many posts concerning the use of scripts and your utility, OLDCMP to remove unused accounts. My problem is that I have remote users using Cisco VPN client to establish a connection to our internal network and their user and computer lastlogon properties don't appear to be updated. How can I get these VPN users/computers to update their lastlogon attribute? I’ve seen many posts concerning the use of scripts and your utility, OLDCMP to remove unused accounts. My problem is that I have remote users using Cisco VPN client to establish a connection to our internal network and their user and computer lastlogon properties don’t appear to be updated. How can I get these VPN users/computers to update their lastlogon attribute?

]]>