In addition, this attribute is stored in a 64-bit signed numeric value that must be converted to a proper date/time to be useful in Powershell. Needless to say, this is not useful for our purposes. Therefore, by default, lastLogonTimeStamp is replicated somewhere between 9 and 14 days after the previous replicated value. By default the msDS-LogonTimeSyncInterval attribute is unset, which makes it default to 14 days. The value of lastLogonTimeStamp is replicated based on a random time interval of up to five days before the msDS-LogonTimeSyncInterval. To reduce domain replication traffic, the replication frequency depends on a domain attribute called msDS-LogonTimeSyncInterval. However, it is not replicated immediately. LastLogonTimeStamp – This is a replicated version of the lastLogon timestamp. This means that any script that uses this attribute will need to pull the attribute from every domain controller in the domain and then use the most recent of those timestamps to determine that actual last logon. Each domain controller retains its own version of this attribute with the last timestamp that the user logged onto that particular domain controller. LastLogon – This provides a time stamp of the user’s last logon, with the caveat that it is not a replicated attribute. Here are the three available AD attributes: The Elusive Time StampĪctive Directory actually provides three different timestamps for determining when a user last logged on, and none of them are awesome. For instance, Active Directory doesn’t actually provide very good tools out of the box for determining when a user last logged on. After reading up on the subject, I found that this is not quite as straightforward as it may seem. There are software products on the market that provide this functionality, but for my homelab, my goal is do this on the cheap. This is surprising since many companies have such a policy and some information security standards such as PCI require it.
$localUsers = Get-WmiObject -Class Win32_UserAccount -Filter "LocalAccount='True'" | Select-Object Nameįoreach ($localUser in $localUsers.While Microsoft provides the ability to set an expiration date on an Active Directory user account, there’s no built-in facility in Group Policy or Active Directory to automatically disable a user who hasn’t logged in in a defined period of time. I found this script courtesy of Google, which remove all Local Accounts, but I would to keep these:Īdministrator, DefaultAccount, DevToolsUser, Guest, sshd, User, WDAGUtilityAccountĬan someone help me? Function Remove-LocalUser
0 kommentar(er)
