Since the lastLogonTimeStamp attribute is replicated across all domain controllers
in your domain, instead of querying lastLogon on every domain controller, you can use a single query to
find all users and computers that have, or have not, logged on within a specified time.
NOTE: To use this functionality, your Windows Server 2003 domain must be at the Windows Server 2003 domain functionality level.
There are certain cases when the lastLogonTimestamp attribute is NOT updated:
- Certificate mapping through IIS.
- Username and password authentication through IIS.
- .NET Passport mapping through IIS.
- All Service-for-User (S4U) authentication paths.
NOTE: If the lastLogonTimestamp attribute has never been updated, it has a
null value.
NOTE: You can use CvtFileTime.bat to convert a non-null lastLogonTimestamp data value
to a date and time.
Example:
Report all users who logged on today before 06:00
@echo off
setlocal
call univdate
set /a yy=10000%yy%%%10000
if %yy% LSS 9 set yy=200%yy%
if %yy% LSS 99 set yy=20%yy%
set /a mm=100%mm%%%100
if %mm% LSS 9 set mm=0%mm%
set /a dd=100%dd%%%100
if %dd% LSS 9 set dd=0%dd%
set today=%mm%/%dd%/%yy%
set query=dsquery * domainroot -filter "(&(objectCategory=Person)(objectClass=User))" -attr sAMAccountName lastLogonTimeStamp -L -limit 0
For /f "Tokens=*" %%a in ('%query%') do (
set work=%%a
call :parse
)
endlocal
goto :EOF
:parse
for /f "Tokens=1*" %%i in ('@echo %work%') do (
set attr=%%i
set data=%%j
)
if {%data%}=={} goto :EOF
if "%attr%" EQU "sAMAccountName:" goto usr
call CvtFileTime %data% llts
if not "%today%" EQU "%llts:~0,10%" goto :EOF
if not "%llts:~11,5%" LSS "06:00" goto :EOF
@echo %user% %llts%
goto :EOF
:usr
set work=%data% #
set user=%work:~0,25%