Logon Inactivity

Archived from groups: microsoft.public.win2000.security (More info?)

There is a problem with Windows 2000 domain controllers in that they do not
replicate the last logged on timestamp. If you have a Windows XP Pro
computer in the domain you can install adminapk for Windows 2003 on it and
use the AD command line tools such as "dsquery user -inactive" to find
inactive accounts but you would have to do such on each domain controller to
get final results. A user may show as never being logged on by a domain
controller that is never used to authenticate him. There may be scripted
solutions to do such for all domain controllers if you have more than a few.
There is also a free tool from Somarsoft called dumpsec that you may want to
try. Though I have not tried it myself with multiple domain controllers
there is an option for "show true last logon time" that is supposed to make
it check all logon servers when you select which which fields to use in
your report for users.--- Steve

http://www.systemtools.com/somarsoft/ --- dumpsec
http://www.microsoft.com/windowsxp [...] y_user.asp


"Warner@nospam.postalias" <Warnernospampostalias@discussions.microsoft.com>
wrote in message news:4301DBF1-8EC9-4758-BC53-557A94A6E23B@microsoft.com...
> How do you run an inactivity report for Win2000 Network User accounts?
> We would like to disable those network user accounts that have not been
> active for a specified number of days. Any ideas how we would go about
> doing
> this?
>
> Thanks,
> Warner.