![]() ![]() For more information, see Understanding the AD Account attributes - LastLogon, LastLogonTimeStamp and LastLogonDate.ĭealing with stale user accounts often comes down to implementing effective deprovisioning processes. Note: Lastlogontimestamp is not replicated every time somebody logs on. Use the -DateTime or -TimeSpan switches to narrow down the date on which the computer last logged on. In Active Directory Module for Windows PowerShell, Search-ADAccount –AccountInactive –UsersOnly command returns all inactive user accounts. ![]() To find the accounts, run a script that queries Active Directory for inactive user accounts. Querying this attribute is more convenient since only one domain controller in each domain must be queried. Unlike the lastLogon attribute, which has been available since Windows NT 4.0, lastLogonTimeStamp is replicated every time it is updated. ![]() This attribute activates in domain set to Windows Server 2003, Windows Server 2008, Windows Server 2008R2, Windows Server 2012 or Windows Server 2012R2 functional level. Windows Server 2003 introduced a new attribute called lastLogonTimeStamp to assist in identifying potentially stale accounts. Because PasswordLastSet is a replicated attribute, only one domain controller in each domain has to be queried. User accounts have an attribute called PasswordLastSet, which records the last time a user changed his or her password. Stale accounts also use up space in the directory database that could be reclaimed. Stale user accounts are a significant security issue, as former employees and external attackers could use those accounts to attack the organization. Over time, users leave the organization and those user accounts may not get removed from Active Directory. Active Directory contains an account for every user. ![]()
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |