LDAP Scripts

LDAP Scripts

Post by Mart » Fri, 12 Nov 2004 01:15:42

I know in win 2003 you can use the query to make easy ldap
scripts. I am using Aelita Edm trying to get a script to
findout which users havnt logged in over 90 days. When i
use the win 2003 that is the one script they wont show me
because of the changeing varibles of dates.

Is there someway to make a script that always uses todays
dates when run.

or sdeos someone have any clues to help me on this.

also i would like to see if i can get a script that i can
see if there is any computers that havnt been logged into
over 90 days to help clean that up.

LDAP Scripts

Post by Cary Shult » Fri, 12 Nov 2004 01:30:02


I would suggest that you go to http://www.yqcomputer.com/ and take a look at
oldcmp.exe. It does exactly what you need and has a lot of built-in
'security' to it.....Here is the url that will take you directly to where
you need to be: http://www.yqcomputer.com/

He has a lot of tools in there.

Now, this does not answer your question, exactly. I am new to scripting
myself and really enjoy absorbing all the useful information in this NG.



LDAP Scripts

Post by Richard Mu » Sun, 21 Nov 2004 13:14:24


If your domain is at W2k3 functional level, you can use the new
lastLogonTimeStamp attribute, which is replicated to all DC's. It is only
updated once a week, but this is fine for your purpose. It is Integer8
(64-bit), so the trick is figuring out the value correponding to 90 days in
the past. The LDAP query to find all users that have not logged in since
9/19/2004 would be:


I have a VBScript program to convert a date time (in your time zone) to the
Integer8 value here:


If the domain is not at W2k3 functional level, you must use the lastLogon
attribute. Besides being Integer8, this attribute is not replicated. Each
Domain Controller has a different value for every user. To determine who has
not logged in recently, you must query every DC in the domain. I have a
program that does this linked below:

http://www.yqcomputer.com/ %20Logon.htm

The output can be redirected to a text file, which can be imported into a
spreadsheet for analysis.

If your domain is at W2k3, you could code a script that combines the
DateToInteger8 program above with the LDAP query above and output user
Distinguished Names that have not logged in in the last 90 days. If the
domain is not at W2k3, you could modify the LastLogon program above to only
output if the date is older than 90 days ago. However, note that the last
logon date will be 1/1/1601 if the user has logged on.

For computer accounts, you can use the same code, except that instead of the


you would use


The more common approach for computers is to use the date the password was
last changed, using the pwdLastSet attribute. By default, the system changes
the password for all computer accounts every 30 days. I have a sample
VBScript program to retrieve these dates here:


I also have a similar program that moves old computer accounts to a
designated container here:


I hope this helps.

Microsoft MVP Scripting and ADSI
HilltopLab web site - http://www.yqcomputer.com/