Hi,
Im currently trying to sift through our AD to weed out user accounts ( Including Service accounts ) that are no longer being used.
I have used a script to generate the lastlogonstamp also used dsquery user -inactive.
The script for lastlogonstamp shows a bunch of accounts that have never logged on thus dont have a lastlogontimestamp. When you run dsquery user -inactive these accounts dont show.
I know some of these accounts are active and there doing ldap lookups for applications, i have read that this type of use does not log a logontimestamp! even though the account authenticates to AD...
Has anybody else seen this and if so how did you get around this etc etc ??? ( Stalepwd is not an option as lots of these accounts have nonexpire passwords and they are never changed!!!
Cheers
Im currently trying to sift through our AD to weed out user accounts ( Including Service accounts ) that are no longer being used.
I have used a script to generate the lastlogonstamp also used dsquery user -inactive.
The script for lastlogonstamp shows a bunch of accounts that have never logged on thus dont have a lastlogontimestamp. When you run dsquery user -inactive these accounts dont show.
I know some of these accounts are active and there doing ldap lookups for applications, i have read that this type of use does not log a logontimestamp! even though the account authenticates to AD...
Has anybody else seen this and if so how did you get around this etc etc ??? ( Stalepwd is not an option as lots of these accounts have nonexpire passwords and they are never changed!!!
Cheers
