Vista - Formatting lastLogonTimestamp to understandable form with PS

08-07-2007

Hi!

If I want to create a query that lists all of my users with their
lastLogonTimestamp all I get is the time in for which isn't understandable.
The value saved in AD is number of 100-nanosecond intervals that passed
between January 1, 1601 and the time the user last logged on according to
http://www.microsoft.com/technet/scr...lastlogon.mspx.
The article mentioned above also contains information on how to convert the
time to understandable form with vbs but hence I'm in to PS it would be great
to know how to print out the value just with PowerShell.

So if I want to print out username and how many days it has been since the
user has logged on the last time what would it take?

-K

08-07-2007

On Aug 7, 9:00 am, Kari <K...@discussions.microsoft.com> wrote:
> Hi!
>
> If I want to create a query that lists all of my users with their
> lastLogonTimestamp all I get is the time in for which isn't understandable.
> The value saved in AD is number of 100-nanosecond intervals that passed
> between January 1, 1601 and the time the user last logged on according tohttp://www.microsoft.com/technet/scriptcenter/topics/win2003/lastlogo....
> The article mentioned above also contains information on how to convert the
> time to understandable form with vbs but hence I'm in to PS it would be great
> to know how to print out the value just with PowerShell.
>
> So if I want to print out username and how many days it has been since the
> user has logged on the last time what would it take?

>
> -K

Try:

PS > [DateTime].FromFileTime([Int64].Parse($lastLogon))

Hope this helps,

- Oisin

08-07-2007

Got a typo at the static method Parse

[DateTime].FromFileTime([Int64]::Parse($lastLogon))

Shay
http://scriptolog.blogspot.com

> On Aug 7, 9:00 am, Kari <K...@discussions.microsoft.com> wrote:
>
>> Hi!
>>
>> If I want to create a query that lists all of my users with their
>>
>> lastLogonTimestamp all I get is the time in for which isn't
>> understandable.
>>
>> The value saved in AD is number of 100-nanosecond intervals that
>> passed
>>
>> between January 1, 1601 and the time the user last logged on
>> according
>> tohttp://www.microsoft.com/technet/scriptcenter/topics/win2003/lastlo
>> go....
>>
>> The article mentioned above also contains information on how to
>> convert the
>>
>> time to understandable form with vbs but hence I'm in to PS it would
>> be great
>>
>> to know how to print out the value just with PowerShell.
>>
>> So if I want to print out username and how many days it has been
>> since the user has logged on the last time what would it take?

>>
>> -K
>>
> Try:
>
PS>> [DateTime].FromFileTime([Int64].Parse($lastLogon))
PS>>
> Hope this helps,
>
> - Oisin
>

08-07-2007

On Aug 7, 11:36 am, Shay Levi <n...@addre.ss> wrote:
> Got a typo at the static method Parse
>
> [DateTime].FromFileTime([Int64]::Parse($lastLogon))
>
> Shayhttp://scriptolog.blogspot.com
>
>
>
>
>
> > On Aug 7, 9:00 am, Kari <K...@discussions.microsoft.com> wrote:
>
> >> Hi!
>
> >> If I want to create a query that lists all of my users with their
>
> >> lastLogonTimestamp all I get is the time in for which isn't
> >> understandable.
>
> >> The value saved in AD is number of 100-nanosecond intervals that
> >> passed
>
> >> between January 1, 1601 and the time the user last logged on
> >> according
> >> tohttp://www.microsoft.com/technet/scriptcenter/topics/win2003/lastlo
> >> go....
>
> >> The article mentioned above also contains information on how to
> >> convert the
>
> >> time to understandable form with vbs but hence I'm in to PS it would
> >> be great
>
> >> to know how to print out the value just with PowerShell.
>
> >> So if I want to print out username and how many days it has been
> >> since the user has logged on the last time what would it take?

>
> >> -K
>
> > Try:
>
> PS>> [DateTime].FromFileTime([Int64].Parse($lastLogon))
> PS>>
>
>
>
> > Hope this helps,
>
> > - Oisin- Hide quoted text -
>
> - Show quoted text -- Hide quoted text -
>
> - Show quoted text -

And on the same theme, heh, I also missed it on the [DateTime]; and I
may as well show a fuller solution while I'm at it:

PS 1> $lastLogin =
[DateTime]::FromFileTime( [Int64]::Parse($lastLoginTimeStamp) )

PS 2> $idleTime = [DateTime]::Now.Subtract($lastLogin)

PS 3> $idleTime

Days : 120
Hours : 23
Minutes : 58
Seconds : 54
Milliseconds : 534
Ticks : 104543345345550
TotalDays : 120.99924229809
TotalHours : 2903.98181515417
TotalMinutes : 174238.90890925
TotalSeconds : 10454334.534555
TotalMilliseconds : 10454334534.555

PS 4>

Hope this helps,

- Oisin

08-10-2007

> And on the same theme, heh, I also missed it on the [DateTime]; and I
> may as well show a fuller solution while I'm at it:
>
> PS 1> $lastLogin =
> [DateTime]::FromFileTime( [Int64]::Parse($lastLoginTimeStamp) )
>
> PS 2> $idleTime = [DateTime]::Now.Subtract($lastLogin)
>
> PS 3> $idleTime
>
> Days : 120
> Hours : 23
> Minutes : 58
> Seconds : 54
> Milliseconds : 534
> Ticks : 104543345345550
> TotalDays : 120.99924229809
> TotalHours : 2903.98181515417
> TotalMinutes : 174238.90890925
> TotalSeconds : 10454334.534555
> TotalMilliseconds : 10454334534.555
>
> PS 4>
>
> Hope this helps,
>
> - Oisin

Uargh... this happens again. When I think I understand something someone
proves me wrong

So if I run the command above I would probably need some data in the
variable

. Problem is that I have no idea how to input data to the
command...?

Lets say I'll query for a list of users like this:
get-qaduser -searchroot 'myad.local/users' -dontusedefaultincludedproperties
- includeproperties name,lastlogontimestamp

How do I input this to the commands you sent to receive a list with users
and last logon in days?

I also noticed one weird thing

If I just query for a list of objects it gives me nice formatting:
get-qaduser -searchroot 'myad.local/users' -dontusedefaultincludedproperties
- includeproperties name,lastlogontimestamp | select-object
name,lastlogontimestamp

This is quite disturbing!

08-10-2007

What exactly is your goal. If you are trying to figure out the last time a
user logged on then this is the wrong attribute to check. This attribute is
used for detecting stale accounts as the value is not always updated. To
check the last time a user logged on you must check LastLogon on EVERY dc
for that user and take the highest value (this attribute is NOT replicated.)
Either way you have to deal with iADsLargeInteger values. These are not at
all easy to. MoW has some ideas on how to do this on his blog
www.thepowershellguy.com or
http://mow001.blogspot.com/2006/01/m...translate.html. I took a
different approach using the vbscripting engine to invoke the
iADSLargeInteger methods .high .low and convert from there.

I used something similar to this.

==== CODE ====
function Get-LastLogonTimeStamp{
Param($server,$ldapPath)
$statement=@"
Set objUser = getObject(`"LDAP://$server/$ldapPath`")
Set objLastLogon = objUser.Get("lastLogonTimeStamp")
intLastLogonTime = objLastLogon.HighPart * (2^32) + objLastLogon.LowPart
intLastLogonTime = intLastLogonTime / (60 * 10000000)
intLastLogonTime = intLastLogonTime / 1440
result = intLastLogonTime + `#1/1/1601`#
"@
write-Host $statement
$vbs = new-object -com MSScriptControl.ScriptControl
$vbs.language = 'vbscript'
$vbs.ExecuteStatement($statement)
$lastlogontimestamp= $vbs.Eval("result")
return $lastlogontimestamp
}
function Get-LastLogon{
Param($server,$ldapPath)
$statement=@"
Set objUser = getObject(`"LDAP://$server/$ldapPath`")
Set objLastLogon = objUser.Get("lastLogon")
intLastLogonTime = objLastLogon.HighPart * (2^32) + objLastLogon.LowPart
intLastLogonTime = intLastLogonTime / (60 * 10000000)
intLastLogonTime = intLastLogonTime / 1440
result = intLastLogonTime + `#1/1/1601`#
"@
write-Host $statement
$vbs = new-object -com MSScriptControl.ScriptControl
$vbs.language = 'vbscript'
$vbs.ExecuteStatement($statement)
$lastlogon = $vbs.Eval("result")
return $lastlogon
}
==============

"Kari" <Kari@discussions.microsoft.com> wrote in message
news:760BA552-02F8-4955-813F-717A2008B714@microsoft.com...
>> And on the same theme, heh, I also missed it on the [DateTime]; and I
>> may as well show a fuller solution while I'm at it:
>>
>> PS 1> $lastLogin =
>> [DateTime]::FromFileTime( [Int64]::Parse($lastLoginTimeStamp) )
>>
>> PS 2> $idleTime = [DateTime]::Now.Subtract($lastLogin)
>>
>> PS 3> $idleTime
>>
>> Days : 120
>> Hours : 23
>> Minutes : 58
>> Seconds : 54
>> Milliseconds : 534
>> Ticks : 104543345345550
>> TotalDays : 120.99924229809
>> TotalHours : 2903.98181515417
>> TotalMinutes : 174238.90890925
>> TotalSeconds : 10454334.534555
>> TotalMilliseconds : 10454334534.555
>>
>> PS 4>
>>
>> Hope this helps,
>>
>> - Oisin
>
> Uargh... this happens again. When I think I understand something someone
> proves me wrong

>
> So if I run the command above I would probably need some data in the
> variable

. Problem is that I have no idea how to input data to the
> command...?
>
> Lets say I'll query for a list of users like this:
> get-qaduser -searchroot
> 'myad.local/users' -dontusedefaultincludedproperties
> - includeproperties name,lastlogontimestamp
>
> How do I input this to the commands you sent to receive a list with users
> and last logon in days?
>
> I also noticed one weird thing

>
> If I just query for a list of objects it gives me nice formatting:
> get-qaduser -searchroot
> 'myad.local/users' -dontusedefaultincludedproperties
> - includeproperties name,lastlogontimestamp | select-object
> name,lastlogontimestamp
>
> This is quite disturbing!

08-10-2007

On Aug 10, 10:21 am, "Brandon Shell" <tshell.m...@gmail.com> wrote:
> What exactly is your goal. If you are trying to figure out the last time a
> user logged on then this is the wrong attribute to check. This attribute is
> used for detecting stale accounts as the value is not always updated. To
> check the last time a user logged on you must check LastLogon on EVERY dc
> for that user and take the highest value (this attribute is NOT replicated.)

Hi Brandon,

You are correct in saying that LastLogon is NOT replicated. However,
the author is talking about "lastLogonTimestamp" which IS replicated
between DCs. This attribute is new to AD 2003, and can be interpreted
using [DateTime]::FromFileTime.

Cheers ;-)

- Oisin

08-10-2007

I am aware of the differences between LastLogon and LastLogonTimestamp. Maybe I wasn't clear enough.

A couple of things here (gonna do a blog post about this later

1) LastLogon is NOT Replicated, but IS UPDATED on the DC the user logs on to everytime (not sure if network logons count.) More Info http://msdn2.microsoft.com/en-us/library/ms676823.aspx.

2) LastLogonTimeStamp IS Replicated, but is NOT UPDATED everytime a user logs on. It has a formula that is calculated off of msDS-LogonTimeSyncInterval. The value for LastLogonTimeStamp is measure in days with two special values $null/0. If $null the default is 14days, if 0 then value is not used (disabled.) The highest value is 100,000. This requires Windows 2003 Native Mode (Domain Functionality Level 2.) Whenever a user logs on, the value of this attribute is read from the DC. If the value is older [ current_time - msDS-LogonTimeSyncInterval ], the value is updated. If the value is -gt 5 a random number between 1-5 is added as well. More Info http://msdn2.microsoft.com/en-us/library/ms676824.aspx.

3) Both values are stored as iADSLargeInteger (not [int64]) which as far Powershell can not deal with natively AFAIK. So you have to either use a snap-in that uses ActiveDS.dll or you can use VBScript Engine as I do. One thing to note about iADSLargeInteger is that it is int64 with a 32bit high part and 32bit low part. More info on iADSLargeInteger here http://msdn2.microsoft.com/en-us/library/aa706037.aspx.

Synopsys: If you want to determine the last time a user logged on within the last 25+hrs then you can use LastLogonTimestamp (assuming you set msDS-LogonTimeSyncInterval to 1.) If you want more precise measurement you must query every DC for the users LastLogon and take the highest value. Again both attributes will come back as System.__ComObject unless you use thirdparty snap-in or vbscript. If someone knows a better way that would be awesome.

More Info: If your curious about what attributes in your AD that use iADSLargeInteger... this function should tell you.

function Get-iADSLargeIntegerAttribute{
param([string]$domain)
if($domain){$rootDSE = [ADSI]"LDAP://$Domain/rootDSE"}
else{$rootDSE = [ADSI]"LDAP://rootDSE"}
$schema = [ADSI]"LDAP://$($rootDSE.schemaNamingContext)"
$filter = "(&(objectclass=attributeschema)(attributesyntax=2.5.5.16)(omsyntax=65))"
$props = ("ldapdisplayname")
$dsearcher = new-Object System.DirectoryServices.DirectorySearcher($schema,$filter,$props)
$dsearcher.findall() | %{Write-Output "$($_.Properties['ldapdisplayname'])"}
}

This is generic function to get a ADSLargeInteger Value

function Convert-iADSLargeIntPropertyToInt64{
param([string]$prop,[string]$ldapPath,[string]$server=([ADSI]"LDAP://rootdse").dnshostname,[switch]$verbose)
$ErrorActionPreference = "silentlyContinue"
$statement=@"
Set objType = getObject(`"LDAP://$server/$ldapPath`")
Set objProp = objType.Get("$prop")
result = objProp.HighPart * (2^32) + objProp.LowPart
"@
if($verbose)
{
Write-Host "+ Running Convert on $server"
Write-Host " - Property : $Prop"
Write-Host " - Path : `"$ldapPath`""
Write-Host " - Statement : $statement"
}
$vbs = new-object -com MSScriptControl.ScriptControl
$vbs.language = 'vbscript'
$vbs.ExecuteStatement($statement)
[int64]$value = $vbs.Eval("result")
return $value
$ErrorActionPreference = "Continue"
}

"Oisin Grehan" <oising@gmail.com> wrote in message news:1186775727.802720.238160@q3g2000prf.googlegroups.com...
> On Aug 10, 10:21 am, "Brandon Shell" <tshell.m...@gmail.com> wrote:
>> What exactly is your goal. If you are trying to figure out the last time a
>> user logged on then this is the wrong attribute to check. This attribute is
>> used for detecting stale accounts as the value is not always updated. To
>> check the last time a user logged on you must check LastLogon on EVERY dc
>> for that user and take the highest value (this attribute is NOT replicated.)
>
> Hi Brandon,
>
> You are correct in saying that LastLogon is NOT replicated. However,
> the author is talking about "lastLogonTimestamp" which IS replicated
> between DCs. This attribute is new to AD 2003, and can be interpreted
> using [DateTime]::FromFileTime.
>
> Cheers ;-)
>
> - Oisin
>

08-10-2007

On Aug 10, 5:21 pm, "Brandon Shell" <tshell.m...@gmail.com> wrote:
> I am aware of the differences between LastLogon and LastLogonTimestamp. Maybe I wasn't clear enough.
>
> A couple of things here (gonna do a blog post about this later

>
> 1) LastLogon is NOT Replicated, but IS UPDATED on the DC the user logs onto everytime (not sure if network logons count.) More Infohttp://msdn2.microsoft.com/en-us/library/ms676823.aspx.
>
> 2) LastLogonTimeStamp IS Replicated, but is NOT UPDATED everytime a user logs on. It has a formula that is calculated off of msDS-LogonTimeSyncInterval. The value for LastLogonTimeStamp is measure in days with two special values $null/0. If $null the default is 14days, if 0 then value is not used (disabled.) The highest value is 100,000. This requires Windows 2003 NativeMode (Domain Functionality Level 2.) Whenever a user logs on, the value ofthis attribute is read from the DC. If the value is older [ current_time -msDS-LogonTimeSyncInterval ], the value is updated. If the value is -gt 5 a random number between 1-5 is added as well. More Infohttp://msdn2.microsoft.com/en-us/library/ms676824.aspx.
>
> 3) Both values are stored as iADSLargeInteger (not [int64]) which as far Powershell can not deal with natively AFAIK. So you have to either use a snap-in that uses ActiveDS.dll or you can use VBScript Engine as I do. One thing to note about iADSLargeInteger is that it is int64 with a 32bit high part and 32bit low part. More info on iADSLargeInteger herehttp://msdn2.microsoft.com/en-us/library/aa706037.aspx.
>
> Synopsys: If you want to determine the last time a user logged on within the last 25+hrs then you can use LastLogonTimestamp (assuming you set msDS-LogonTimeSyncInterval to 1.) If you want more precise measurement you must query every DC for the users LastLogon and take the highest value. Again both attributes will come back as System.__ComObject unless you use thirdparty snap-in or vbscript. If someone knows a better way that would be awesome.
>
> More Info: If your curious about what attributes in your AD that use iADSLargeInteger... this function should tell you.
>
> function Get-iADSLargeIntegerAttribute{
> param([string]$domain)
> if($domain){$rootDSE = [ADSI]"LDAP://$Domain/rootDSE"}
> else{$rootDSE = [ADSI]"LDAP://rootDSE"}
> $schema = [ADSI]"LDAP://$($rootDSE.schemaNamingContext)"
> $filter = "(&(objectclass=attributeschema)(attributesyntax=2.5.5.16)(omsyntax=65))"
> $props = ("ldapdisplayname")
> $dsearcher = new-Object System.DirectoryServices.DirectorySearcher($schema,$filter,$props)
> $dsearcher.findall() | %{Write-Output "$($_.Properties['ldapdisplayname'])"}
>
> }
>
> This is generic function to get a ADSLargeInteger Value
>
> function Convert-iADSLargeIntPropertyToInt64{
> param([string]$prop,[string]$ldapPath,[string]$server=([ADSI]"LDAP://rootds*e").dnshostname,[switch]$verbose)
> $ErrorActionPreference = "silentlyContinue"
> $statement=@"
> Set objType = getObject(`"LDAP://$server/$ldapPath`")
> Set objProp = objType.Get("$prop")
> result = objProp.HighPart * (2^32) + objProp.LowPart
> "@
> if($verbose)
> {
> Write-Host "+ Running Convert on $server"
> Write-Host " - Property : $Prop"
> Write-Host " - Path : `"$ldapPath`""
> Write-Host " - Statement : $statement"
> }
> $vbs = new-object -com MSScriptControl.ScriptControl
> $vbs.language = 'vbscript'
> $vbs.ExecuteStatement($statement)
> [int64]$value = $vbs.Eval("result")
> return $value
> $ErrorActionPreference = "Continue"
>
>
>
> }
> "Oisin Grehan" <ois...@gmail.com> wrote in messagenews:1186775727.802720.238160@q3g2000prf.googlegroups.com...
> > On Aug 10, 10:21 am, "Brandon Shell" <tshell.m...@gmail.com> wrote:
> >> What exactly is your goal. If you are trying to figure out the last time a
> >> user logged on then this is the wrong attribute to check. This attribute is
> >> used for detecting stale accounts as the value is not always updated. To
> >> check the last time a user logged on you must check LastLogon on EVERYdc
> >> for that user and take the highest value (this attribute is NOT replicated.)
>
> > Hi Brandon,
>
> > You are correct in saying that LastLogon is NOT replicated. However,
> > the author is talking about "lastLogonTimestamp" which IS replicated
> > between DCs. This attribute is new to AD 2003, and can be interpreted
> > using [DateTime]::FromFileTime.
>
> > Cheers ;-)
>
> > - Oisin- Hide quoted text -
>
> - Show quoted text -

Eeek! that's the last time I get involved in an AD pissing contest
with you, B!

seriously though, I got all my original info on lastLogonTimestamp
from a blog entry some years ago, and I managed to find it again:
http://choosing-a-blog-url-sucks.blo...ctory-and.html

Some interesting stuff in there about IADSLargeInteger,
in64, ::FromFileTime etc; most notable about how when using the
DirectorySearcher, the IADSLargeInterger comes back as an int64, and
the :

"Now let's say you are using the DirectorySearcher object instead of
the DirectoryEntry object to find the object in Active Directory you
need. If you try to use similar code as provided in the sample above,
you will get an InvalidCastException when casting the
lastlogontimestamp to the IADsLargeInteger. For some reasone, when
using the DirectorySearcher object, the lastlogontimestamp object is
returned as a long (Int64) instead of an IADsLargeInteger. I found
this behavior to be a bit schizophrenic."

it's all a bit weird to me and why I mostly stay away from AD
stuff. ;-)

- O.

08-11-2007

That was in no way meant to be a pissing contest

I just assumed since you
misunderstood my post (your a pretty smart chap) then I must not have been
clear enough. So I decided to clarify. The use of bold and caps was meant to
clarify

That is one thing I dislike about news-groups or typed
communication... its easy to misunderstand.

BTW... thanks for the tip on using DirectorySearcher. I will try that on
Monday. If that is the case, it will be MUCH easier than my vbscript klooge

. Either way I learned a good deal about iADSLargeInteger in my quest for
LastLogon

I have MUCH respect for the O-Man!

"Oisin Grehan" <oising@gmail.com> wrote in message
news:1186800687.396538.189750@x40g2000prg.googlegroups.com...
On Aug 10, 5:21 pm, "Brandon Shell" <tshell.m...@gmail.com> wrote:
> I am aware of the differences between LastLogon and LastLogonTimestamp.
> Maybe I wasn't clear enough.
>
> A couple of things here (gonna do a blog post about this later

>
> 1) LastLogon is NOT Replicated, but IS UPDATED on the DC the user logs on
> to everytime (not sure if network logons count.) More
> Infohttp://msdn2.microsoft.com/en-us/library/ms676823.aspx.
>
> 2) LastLogonTimeStamp IS Replicated, but is NOT UPDATED everytime a user
> logs on. It has a formula that is calculated off of
> msDS-LogonTimeSyncInterval. The value for LastLogonTimeStamp is measure in
> days with two special values $null/0. If $null the default is 14days, if 0
> then value is not used (disabled.) The highest value is 100,000. This
> requires Windows 2003 Native Mode (Domain Functionality Level 2.) Whenever
> a user logs on, the value of this attribute is read from the DC. If the
> value is older [ current_time - msDS-LogonTimeSyncInterval ], the value is
> updated. If the value is -gt 5 a random number between 1-5 is added as
> well. More Infohttp://msdn2.microsoft.com/en-us/library/ms676824.aspx.
>
> 3) Both values are stored as iADSLargeInteger (not [int64]) which as far
> Powershell can not deal with natively AFAIK. So you have to either use a
> snap-in that uses ActiveDS.dll or you can use VBScript Engine as I do. One
> thing to note about iADSLargeInteger is that it is int64 with a 32bit high
> part and 32bit low part. More info on iADSLargeInteger
> herehttp://msdn2.microsoft.com/en-us/library/aa706037.aspx.
>
> Synopsys: If you want to determine the last time a user logged on within
> the last 25+hrs then you can use LastLogonTimestamp (assuming you set
> msDS-LogonTimeSyncInterval to 1.) If you want more precise measurement you
> must query every DC for the users LastLogon and take the highest value.
> Again both attributes will come back as System.__ComObject unless you use
> thirdparty snap-in or vbscript. If someone knows a better way that would
> be awesome.
>
> More Info: If your curious about what attributes in your AD that use
> iADSLargeInteger... this function should tell you.
>
> function Get-iADSLargeIntegerAttribute{
> param([string]$domain)
> if($domain){$rootDSE = [ADSI]"LDAP://$Domain/rootDSE"}
> else{$rootDSE = [ADSI]"LDAP://rootDSE"}
> $schema = [ADSI]"LDAP://$($rootDSE.schemaNamingContext)"
> $filter =
> "(&(objectclass=attributeschema)(attributesyntax=2.5.5.16)(omsyntax=65))"
> $props = ("ldapdisplayname")
> $dsearcher = new-Object
> System.DirectoryServices.DirectorySearcher($schema,$filter,$props)
> $dsearcher.findall() | %{Write-Output
> "$($_.Properties['ldapdisplayname'])"}
>
> }
>
> This is generic function to get a ADSLargeInteger Value
>
> function Convert-iADSLargeIntPropertyToInt64{
>
> param([string]$prop,[string]$ldapPath,[string]$server=([ADSI]"LDAP://rootds*e").dnshostname,[switch]$verbose)
> $ErrorActionPreference = "silentlyContinue"
> $statement=@"
> Set objType = getObject(`"LDAP://$server/$ldapPath`")
> Set objProp = objType.Get("$prop")
> result = objProp.HighPart * (2^32) + objProp.LowPart
> "@
> if($verbose)
> {
> Write-Host "+ Running Convert on $server"
> Write-Host " - Property : $Prop"
> Write-Host " - Path : `"$ldapPath`""
> Write-Host " - Statement : $statement"
> }
> $vbs = new-object -com MSScriptControl.ScriptControl
> $vbs.language = 'vbscript'
> $vbs.ExecuteStatement($statement)
> [int64]$value = $vbs.Eval("result")
> return $value
> $ErrorActionPreference = "Continue"
>
>
>
> }
> "Oisin Grehan" <ois...@gmail.com> wrote in
> messagenews:1186775727.802720.238160@q3g2000prf.googlegroups.com...
> > On Aug 10, 10:21 am, "Brandon Shell" <tshell.m...@gmail.com> wrote:
> >> What exactly is your goal. If you are trying to figure out the last
> >> time a
> >> user logged on then this is the wrong attribute to check. This
> >> attribute is
> >> used for detecting stale accounts as the value is not always updated.
> >> To
> >> check the last time a user logged on you must check LastLogon on EVERY
> >> dc
> >> for that user and take the highest value (this attribute is NOT
> >> replicated.)
>
> > Hi Brandon,
>
> > You are correct in saying that LastLogon is NOT replicated. However,
> > the author is talking about "lastLogonTimestamp" which IS replicated
> > between DCs. This attribute is new to AD 2003, and can be interpreted
> > using [DateTime]::FromFileTime.
>
> > Cheers ;-)
>
> > - Oisin- Hide quoted text -
>
> - Show quoted text -

Eeek! that's the last time I get involved in an AD pissing contest
with you, B!

seriously though, I got all my original info on lastLogonTimestamp
from a blog entry some years ago, and I managed to find it again:
http://choosing-a-blog-url-sucks.blo...ctory-and.html

Some interesting stuff in there about IADSLargeInteger,
in64, ::FromFileTime etc; most notable about how when using the
DirectorySearcher, the IADSLargeInterger comes back as an int64, and
the :

"Now let's say you are using the DirectorySearcher object instead of
the DirectoryEntry object to find the object in Active Directory you
need. If you try to use similar code as provided in the sample above,
you will get an InvalidCastException when casting the
lastlogontimestamp to the IADsLargeInteger. For some reasone, when
using the DirectorySearcher object, the lastlogontimestamp object is
returned as a long (Int64) instead of an IADsLargeInteger. I found
this behavior to be a bit schizophrenic."

it's all a bit weird to me and why I mostly stay away from AD
stuff. ;-)

- O.

08-07-2007	#1 (permalink)
Kari n/a posts	Formatting lastLogonTimestamp to understandable form with PS Hi! If I want to create a query that lists all of my users with their lastLogonTimestamp all I get is the time in for which isn't understandable. The value saved in AD is number of 100-nanosecond intervals that passed between January 1, 1601 and the time the user last logged on according to http://www.microsoft.com/technet/scr...lastlogon.mspx. The article mentioned above also contains information on how to convert the time to understandable form with vbs but hence I'm in to PS it would be great to know how to print out the value just with PowerShell. So if I want to print out username and how many days it has been since the user has logged on the last time what would it take? -K
My System Specs

08-07-2007	#2 (permalink)
Oisin Grehan n/a posts	Re: Formatting lastLogonTimestamp to understandable form with PS On Aug 7, 9:00 am, Kari <K...@discussions.microsoft.com> wrote: > Hi! > > If I want to create a query that lists all of my users with their > lastLogonTimestamp all I get is the time in for which isn't understandable. > The value saved in AD is number of 100-nanosecond intervals that passed > between January 1, 1601 and the time the user last logged on according tohttp://www.microsoft.com/technet/scriptcenter/topics/win2003/lastlogo.... > The article mentioned above also contains information on how to convert the > time to understandable form with vbs but hence I'm in to PS it would be great > to know how to print out the value just with PowerShell. > > So if I want to print out username and how many days it has been since the > user has logged on the last time what would it take? > > -K Try: PS > [DateTime].FromFileTime([Int64].Parse($lastLogon)) Hope this helps, - Oisin
My System Specs

08-07-2007	#3 (permalink)
Shay Levi n/a posts	Re: Formatting lastLogonTimestamp to understandable form with PS Got a typo at the static method Parse [DateTime].FromFileTime([Int64]::Parse($lastLogon)) Shay http://scriptolog.blogspot.com > On Aug 7, 9:00 am, Kari <K...@discussions.microsoft.com> wrote: > >> Hi! >> >> If I want to create a query that lists all of my users with their >> >> lastLogonTimestamp all I get is the time in for which isn't >> understandable. >> >> The value saved in AD is number of 100-nanosecond intervals that >> passed >> >> between January 1, 1601 and the time the user last logged on >> according >> tohttp://www.microsoft.com/technet/scriptcenter/topics/win2003/lastlo >> go.... >> >> The article mentioned above also contains information on how to >> convert the >> >> time to understandable form with vbs but hence I'm in to PS it would >> be great >> >> to know how to print out the value just with PowerShell. >> >> So if I want to print out username and how many days it has been >> since the user has logged on the last time what would it take? >> >> -K >> > Try: > PS>> [DateTime].FromFileTime([Int64].Parse($lastLogon)) PS>> > Hope this helps, > > - Oisin >
My System Specs

08-07-2007	#4 (permalink)
Oisin Grehan n/a posts	Re: Formatting lastLogonTimestamp to understandable form with PS On Aug 7, 11:36 am, Shay Levi <n...@addre.ss> wrote: > Got a typo at the static method Parse > > [DateTime].FromFileTime([Int64]::Parse($lastLogon)) > > Shayhttp://scriptolog.blogspot.com > > > > > > > On Aug 7, 9:00 am, Kari <K...@discussions.microsoft.com> wrote: > > >> Hi! > > >> If I want to create a query that lists all of my users with their > > >> lastLogonTimestamp all I get is the time in for which isn't > >> understandable. > > >> The value saved in AD is number of 100-nanosecond intervals that > >> passed > > >> between January 1, 1601 and the time the user last logged on > >> according > >> tohttp://www.microsoft.com/technet/scriptcenter/topics/win2003/lastlo > >> go.... > > >> The article mentioned above also contains information on how to > >> convert the > > >> time to understandable form with vbs but hence I'm in to PS it would > >> be great > > >> to know how to print out the value just with PowerShell. > > >> So if I want to print out username and how many days it has been > >> since the user has logged on the last time what would it take? > > >> -K > > > Try: > > PS>> [DateTime].FromFileTime([Int64].Parse($lastLogon)) > PS>> > > > > > Hope this helps, > > > - Oisin- Hide quoted text - > > - Show quoted text -- Hide quoted text - > > - Show quoted text - And on the same theme, heh, I also missed it on the [DateTime]; and I may as well show a fuller solution while I'm at it: PS 1> $lastLogin = [DateTime]::FromFileTime( [Int64]::Parse($lastLoginTimeStamp) ) PS 2> $idleTime = [DateTime]::Now.Subtract($lastLogin) PS 3> $idleTime Days : 120 Hours : 23 Minutes : 58 Seconds : 54 Milliseconds : 534 Ticks : 104543345345550 TotalDays : 120.99924229809 TotalHours : 2903.98181515417 TotalMinutes : 174238.90890925 TotalSeconds : 10454334.534555 TotalMilliseconds : 10454334534.555 PS 4> Hope this helps, - Oisin
My System Specs

08-10-2007	#5 (permalink)
Kari n/a posts	Re: Formatting lastLogonTimestamp to understandable form with PS > And on the same theme, heh, I also missed it on the [DateTime]; and I > may as well show a fuller solution while I'm at it: > > PS 1> $lastLogin = > [DateTime]::FromFileTime( [Int64]::Parse($lastLoginTimeStamp) ) > > PS 2> $idleTime = [DateTime]::Now.Subtract($lastLogin) > > PS 3> $idleTime > > Days : 120 > Hours : 23 > Minutes : 58 > Seconds : 54 > Milliseconds : 534 > Ticks : 104543345345550 > TotalDays : 120.99924229809 > TotalHours : 2903.98181515417 > TotalMinutes : 174238.90890925 > TotalSeconds : 10454334.534555 > TotalMilliseconds : 10454334534.555 > > PS 4> > > Hope this helps, > > - Oisin Uargh... this happens again. When I think I understand something someone proves me wrong So if I run the command above I would probably need some data in the variable . Problem is that I have no idea how to input data to the command...? Lets say I'll query for a list of users like this: get-qaduser -searchroot 'myad.local/users' -dontusedefaultincludedproperties - includeproperties name,lastlogontimestamp How do I input this to the commands you sent to receive a list with users and last logon in days? I also noticed one weird thing If I just query for a list of objects it gives me nice formatting: get-qaduser -searchroot 'myad.local/users' -dontusedefaultincludedproperties - includeproperties name,lastlogontimestamp \| select-object name,lastlogontimestamp This is quite disturbing!
My System Specs

08-10-2007	#6 (permalink)
Brandon Shell n/a posts	Re: Formatting lastLogonTimestamp to understandable form with PS What exactly is your goal. If you are trying to figure out the last time a user logged on then this is the wrong attribute to check. This attribute is used for detecting stale accounts as the value is not always updated. To check the last time a user logged on you must check LastLogon on EVERY dc for that user and take the highest value (this attribute is NOT replicated.) Either way you have to deal with iADsLargeInteger values. These are not at all easy to. MoW has some ideas on how to do this on his blog www.thepowershellguy.com or http://mow001.blogspot.com/2006/01/m...translate.html. I took a different approach using the vbscripting engine to invoke the iADSLargeInteger methods .high .low and convert from there. I used something similar to this. ==== CODE ==== function Get-LastLogonTimeStamp{ Param($server,$ldapPath) $statement=@" Set objUser = getObject(`"LDAP://$server/$ldapPath`") Set objLastLogon = objUser.Get("lastLogonTimeStamp") intLastLogonTime = objLastLogon.HighPart * (2^32) + objLastLogon.LowPart intLastLogonTime = intLastLogonTime / (60 * 10000000) intLastLogonTime = intLastLogonTime / 1440 result = intLastLogonTime + `#1/1/1601`# "@ write-Host $statement $vbs = new-object -com MSScriptControl.ScriptControl $vbs.language = 'vbscript' $vbs.ExecuteStatement($statement) $lastlogontimestamp= $vbs.Eval("result") return $lastlogontimestamp } function Get-LastLogon{ Param($server,$ldapPath) $statement=@" Set objUser = getObject(`"LDAP://$server/$ldapPath`") Set objLastLogon = objUser.Get("lastLogon") intLastLogonTime = objLastLogon.HighPart * (2^32) + objLastLogon.LowPart intLastLogonTime = intLastLogonTime / (60 * 10000000) intLastLogonTime = intLastLogonTime / 1440 result = intLastLogonTime + `#1/1/1601`# "@ write-Host $statement $vbs = new-object -com MSScriptControl.ScriptControl $vbs.language = 'vbscript' $vbs.ExecuteStatement($statement) $lastlogon = $vbs.Eval("result") return $lastlogon } ============== "Kari" <Kari@discussions.microsoft.com> wrote in message news:760BA552-02F8-4955-813F-717A2008B714@microsoft.com... >> And on the same theme, heh, I also missed it on the [DateTime]; and I >> may as well show a fuller solution while I'm at it: >> >> PS 1> $lastLogin = >> [DateTime]::FromFileTime( [Int64]::Parse($lastLoginTimeStamp) ) >> >> PS 2> $idleTime = [DateTime]::Now.Subtract($lastLogin) >> >> PS 3> $idleTime >> >> Days : 120 >> Hours : 23 >> Minutes : 58 >> Seconds : 54 >> Milliseconds : 534 >> Ticks : 104543345345550 >> TotalDays : 120.99924229809 >> TotalHours : 2903.98181515417 >> TotalMinutes : 174238.90890925 >> TotalSeconds : 10454334.534555 >> TotalMilliseconds : 10454334534.555 >> >> PS 4> >> >> Hope this helps, >> >> - Oisin > > Uargh... this happens again. When I think I understand something someone > proves me wrong > > So if I run the command above I would probably need some data in the > variable . Problem is that I have no idea how to input data to the > command...? > > Lets say I'll query for a list of users like this: > get-qaduser -searchroot > 'myad.local/users' -dontusedefaultincludedproperties > - includeproperties name,lastlogontimestamp > > How do I input this to the commands you sent to receive a list with users > and last logon in days? > > I also noticed one weird thing > > If I just query for a list of objects it gives me nice formatting: > get-qaduser -searchroot > 'myad.local/users' -dontusedefaultincludedproperties > - includeproperties name,lastlogontimestamp \| select-object > name,lastlogontimestamp > > This is quite disturbing!
My System Specs

08-10-2007	#7 (permalink)
Oisin Grehan n/a posts	Re: Formatting lastLogonTimestamp to understandable form with PS On Aug 10, 10:21 am, "Brandon Shell" <tshell.m...@gmail.com> wrote: > What exactly is your goal. If you are trying to figure out the last time a > user logged on then this is the wrong attribute to check. This attribute is > used for detecting stale accounts as the value is not always updated. To > check the last time a user logged on you must check LastLogon on EVERY dc > for that user and take the highest value (this attribute is NOT replicated.) Hi Brandon, You are correct in saying that LastLogon is NOT replicated. However, the author is talking about "lastLogonTimestamp" which IS replicated between DCs. This attribute is new to AD 2003, and can be interpreted using [DateTime]::FromFileTime. Cheers ;-) - Oisin
My System Specs

08-10-2007	#8 (permalink)
Brandon Shell n/a posts	Re: Formatting lastLogonTimestamp to understandable form with PS I am aware of the differences between LastLogon and LastLogonTimestamp. Maybe I wasn't clear enough. A couple of things here (gonna do a blog post about this later 1) LastLogon is NOT Replicated, but IS UPDATED on the DC the user logs on to everytime (not sure if network logons count.) More Info http://msdn2.microsoft.com/en-us/library/ms676823.aspx. 2) LastLogonTimeStamp IS Replicated, but is NOT UPDATED everytime a user logs on. It has a formula that is calculated off of msDS-LogonTimeSyncInterval. The value for LastLogonTimeStamp is measure in days with two special values $null/0. If $null the default is 14days, if 0 then value is not used (disabled.) The highest value is 100,000. This requires Windows 2003 Native Mode (Domain Functionality Level 2.) Whenever a user logs on, the value of this attribute is read from the DC. If the value is older [ current_time - msDS-LogonTimeSyncInterval ], the value is updated. If the value is -gt 5 a random number between 1-5 is added as well. More Info http://msdn2.microsoft.com/en-us/library/ms676824.aspx. 3) Both values are stored as iADSLargeInteger (not [int64]) which as far Powershell can not deal with natively AFAIK. So you have to either use a snap-in that uses ActiveDS.dll or you can use VBScript Engine as I do. One thing to note about iADSLargeInteger is that it is int64 with a 32bit high part and 32bit low part. More info on iADSLargeInteger here http://msdn2.microsoft.com/en-us/library/aa706037.aspx. Synopsys: If you want to determine the last time a user logged on within the last 25+hrs then you can use LastLogonTimestamp (assuming you set msDS-LogonTimeSyncInterval to 1.) If you want more precise measurement you must query every DC for the users LastLogon and take the highest value. Again both attributes will come back as System.__ComObject unless you use thirdparty snap-in or vbscript. If someone knows a better way that would be awesome. More Info: If your curious about what attributes in your AD that use iADSLargeInteger... this function should tell you. function Get-iADSLargeIntegerAttribute{ param([string]$domain) if($domain){$rootDSE = [ADSI]"LDAP://$Domain/rootDSE"} else{$rootDSE = [ADSI]"LDAP://rootDSE"} $schema = [ADSI]"LDAP://$($rootDSE.schemaNamingContext)" $filter = "(&(objectclass=attributeschema)(attributesyntax=2.5.5.16)(omsyntax=65))" $props = ("ldapdisplayname") $dsearcher = new-Object System.DirectoryServices.DirectorySearcher($schema,$filter,$props) $dsearcher.findall() \| %{Write-Output "$($_.Properties['ldapdisplayname'])"} } This is generic function to get a ADSLargeInteger Value function Convert-iADSLargeIntPropertyToInt64{ param([string]$prop,[string]$ldapPath,[string]$server=([ADSI]"LDAP://rootdse").dnshostname,[switch]$verbose) $ErrorActionPreference = "silentlyContinue" $statement=@" Set objType = getObject(`"LDAP://$server/$ldapPath`") Set objProp = objType.Get("$prop") result = objProp.HighPart * (2^32) + objProp.LowPart "@ if($verbose) { Write-Host "+ Running Convert on $server" Write-Host " - Property : $Prop" Write-Host " - Path : `"$ldapPath`"" Write-Host " - Statement : $statement" } $vbs = new-object -com MSScriptControl.ScriptControl $vbs.language = 'vbscript' $vbs.ExecuteStatement($statement) [int64]$value = $vbs.Eval("result") return $value $ErrorActionPreference = "Continue" } "Oisin Grehan" <oising@gmail.com> wrote in message news:1186775727.802720.238160@q3g2000prf.googlegroups.com... > On Aug 10, 10:21 am, "Brandon Shell" <tshell.m...@gmail.com> wrote: >> What exactly is your goal. If you are trying to figure out the last time a >> user logged on then this is the wrong attribute to check. This attribute is >> used for detecting stale accounts as the value is not always updated. To >> check the last time a user logged on you must check LastLogon on EVERY dc >> for that user and take the highest value (this attribute is NOT replicated.) > > Hi Brandon, > > You are correct in saying that LastLogon is NOT replicated. However, > the author is talking about "lastLogonTimestamp" which IS replicated > between DCs. This attribute is new to AD 2003, and can be interpreted > using [DateTime]::FromFileTime. > > Cheers ;-) > > - Oisin >
My System Specs

08-10-2007	#9 (permalink)
Oisin Grehan n/a posts	Re: Formatting lastLogonTimestamp to understandable form with PS On Aug 10, 5:21 pm, "Brandon Shell" <tshell.m...@gmail.com> wrote: > I am aware of the differences between LastLogon and LastLogonTimestamp. Maybe I wasn't clear enough. > > A couple of things here (gonna do a blog post about this later > > 1) LastLogon is NOT Replicated, but IS UPDATED on the DC the user logs onto everytime (not sure if network logons count.) More Infohttp://msdn2.microsoft.com/en-us/library/ms676823.aspx. > > 2) LastLogonTimeStamp IS Replicated, but is NOT UPDATED everytime a user logs on. It has a formula that is calculated off of msDS-LogonTimeSyncInterval. The value for LastLogonTimeStamp is measure in days with two special values $null/0. If $null the default is 14days, if 0 then value is not used (disabled.) The highest value is 100,000. This requires Windows 2003 NativeMode (Domain Functionality Level 2.) Whenever a user logs on, the value ofthis attribute is read from the DC. If the value is older [ current_time -msDS-LogonTimeSyncInterval ], the value is updated. If the value is -gt 5 a random number between 1-5 is added as well. More Infohttp://msdn2.microsoft.com/en-us/library/ms676824.aspx. > > 3) Both values are stored as iADSLargeInteger (not [int64]) which as far Powershell can not deal with natively AFAIK. So you have to either use a snap-in that uses ActiveDS.dll or you can use VBScript Engine as I do. One thing to note about iADSLargeInteger is that it is int64 with a 32bit high part and 32bit low part. More info on iADSLargeInteger herehttp://msdn2.microsoft.com/en-us/library/aa706037.aspx. > > Synopsys: If you want to determine the last time a user logged on within the last 25+hrs then you can use LastLogonTimestamp (assuming you set msDS-LogonTimeSyncInterval to 1.) If you want more precise measurement you must query every DC for the users LastLogon and take the highest value. Again both attributes will come back as System.__ComObject unless you use thirdparty snap-in or vbscript. If someone knows a better way that would be awesome. > > More Info: If your curious about what attributes in your AD that use iADSLargeInteger... this function should tell you. > > function Get-iADSLargeIntegerAttribute{ > param([string]$domain) > if($domain){$rootDSE = [ADSI]"LDAP://$Domain/rootDSE"} > else{$rootDSE = [ADSI]"LDAP://rootDSE"} > $schema = [ADSI]"LDAP://$($rootDSE.schemaNamingContext)" > $filter = "(&(objectclass=attributeschema)(attributesyntax=2.5.5.16)(omsyntax=65))" > $props = ("ldapdisplayname") > $dsearcher = new-Object System.DirectoryServices.DirectorySearcher($schema,$filter,$props) > $dsearcher.findall() \| %{Write-Output "$($_.Properties['ldapdisplayname'])"} > > } > > This is generic function to get a ADSLargeInteger Value > > function Convert-iADSLargeIntPropertyToInt64{ > param([string]$prop,[string]$ldapPath,[string]$server=([ADSI]"LDAP://rootdse").dnshostname,[switch]$verbose) > $ErrorActionPreference = "silentlyContinue" > $statement=@" > Set objType = getObject(`"LDAP://$server/$ldapPath`") > Set objProp = objType.Get("$prop") > result = objProp.HighPart (2^32) + objProp.LowPart > "@ > if($verbose) > { > Write-Host "+ Running Convert on $server" > Write-Host " - Property : $Prop" > Write-Host " - Path : `"$ldapPath`"" > Write-Host " - Statement : $statement" > } > $vbs = new-object -com MSScriptControl.ScriptControl > $vbs.language = 'vbscript' > $vbs.ExecuteStatement($statement) > [int64]$value = $vbs.Eval("result") > return $value > $ErrorActionPreference = "Continue" > > > > } > "Oisin Grehan" <ois...@gmail.com> wrote in messagenews:1186775727.802720.238160@q3g2000prf.googlegroups.com... > > On Aug 10, 10:21 am, "Brandon Shell" <tshell.m...@gmail.com> wrote: > >> What exactly is your goal. If you are trying to figure out the last time a > >> user logged on then this is the wrong attribute to check. This attribute is > >> used for detecting stale accounts as the value is not always updated. To > >> check the last time a user logged on you must check LastLogon on EVERYdc > >> for that user and take the highest value (this attribute is NOT replicated.) > > > Hi Brandon, > > > You are correct in saying that LastLogon is NOT replicated. However, > > the author is talking about "lastLogonTimestamp" which IS replicated > > between DCs. This attribute is new to AD 2003, and can be interpreted > > using [DateTime]::FromFileTime. > > > Cheers ;-) > > > - Oisin- Hide quoted text - > > - Show quoted text - Eeek! that's the last time I get involved in an AD pissing contest with you, B! seriously though, I got all my original info on lastLogonTimestamp from a blog entry some years ago, and I managed to find it again: http://choosing-a-blog-url-sucks.blo...ctory-and.html Some interesting stuff in there about IADSLargeInteger, in64, ::FromFileTime etc; most notable about how when using the DirectorySearcher, the IADSLargeInterger comes back as an int64, and the : "Now let's say you are using the DirectorySearcher object instead of the DirectoryEntry object to find the object in Active Directory you need. If you try to use similar code as provided in the sample above, you will get an InvalidCastException when casting the lastlogontimestamp to the IADsLargeInteger. For some reasone, when using the DirectorySearcher object, the lastlogontimestamp object is returned as a long (Int64) instead of an IADsLargeInteger. I found this behavior to be a bit schizophrenic." it's all a bit weird to me and why I mostly stay away from AD stuff. ;-) - O.
My System Specs

08-11-2007	#10 (permalink)
Brandon Shell n/a posts	Re: Formatting lastLogonTimestamp to understandable form with PS That was in no way meant to be a pissing contest I just assumed since you misunderstood my post (your a pretty smart chap) then I must not have been clear enough. So I decided to clarify. The use of bold and caps was meant to clarify That is one thing I dislike about news-groups or typed communication... its easy to misunderstand. BTW... thanks for the tip on using DirectorySearcher. I will try that on Monday. If that is the case, it will be MUCH easier than my vbscript klooge . Either way I learned a good deal about iADSLargeInteger in my quest for LastLogon I have MUCH respect for the O-Man! "Oisin Grehan" <oising@gmail.com> wrote in message news:1186800687.396538.189750@x40g2000prg.googlegroups.com... On Aug 10, 5:21 pm, "Brandon Shell" <tshell.m...@gmail.com> wrote: > I am aware of the differences between LastLogon and LastLogonTimestamp. > Maybe I wasn't clear enough. > > A couple of things here (gonna do a blog post about this later > > 1) LastLogon is NOT Replicated, but IS UPDATED on the DC the user logs on > to everytime (not sure if network logons count.) More > Infohttp://msdn2.microsoft.com/en-us/library/ms676823.aspx. > > 2) LastLogonTimeStamp IS Replicated, but is NOT UPDATED everytime a user > logs on. It has a formula that is calculated off of > msDS-LogonTimeSyncInterval. The value for LastLogonTimeStamp is measure in > days with two special values $null/0. If $null the default is 14days, if 0 > then value is not used (disabled.) The highest value is 100,000. This > requires Windows 2003 Native Mode (Domain Functionality Level 2.) Whenever > a user logs on, the value of this attribute is read from the DC. If the > value is older [ current_time - msDS-LogonTimeSyncInterval ], the value is > updated. If the value is -gt 5 a random number between 1-5 is added as > well. More Infohttp://msdn2.microsoft.com/en-us/library/ms676824.aspx. > > 3) Both values are stored as iADSLargeInteger (not [int64]) which as far > Powershell can not deal with natively AFAIK. So you have to either use a > snap-in that uses ActiveDS.dll or you can use VBScript Engine as I do. One > thing to note about iADSLargeInteger is that it is int64 with a 32bit high > part and 32bit low part. More info on iADSLargeInteger > herehttp://msdn2.microsoft.com/en-us/library/aa706037.aspx. > > Synopsys: If you want to determine the last time a user logged on within > the last 25+hrs then you can use LastLogonTimestamp (assuming you set > msDS-LogonTimeSyncInterval to 1.) If you want more precise measurement you > must query every DC for the users LastLogon and take the highest value. > Again both attributes will come back as System.__ComObject unless you use > thirdparty snap-in or vbscript. If someone knows a better way that would > be awesome. > > More Info: If your curious about what attributes in your AD that use > iADSLargeInteger... this function should tell you. > > function Get-iADSLargeIntegerAttribute{ > param([string]$domain) > if($domain){$rootDSE = [ADSI]"LDAP://$Domain/rootDSE"} > else{$rootDSE = [ADSI]"LDAP://rootDSE"} > $schema = [ADSI]"LDAP://$($rootDSE.schemaNamingContext)" > $filter = > "(&(objectclass=attributeschema)(attributesyntax=2.5.5.16)(omsyntax=65))" > $props = ("ldapdisplayname") > $dsearcher = new-Object > System.DirectoryServices.DirectorySearcher($schema,$filter,$props) > $dsearcher.findall() \| %{Write-Output > "$($_.Properties['ldapdisplayname'])"} > > } > > This is generic function to get a ADSLargeInteger Value > > function Convert-iADSLargeIntPropertyToInt64{ > > param([string]$prop,[string]$ldapPath,[string]$server=([ADSI]"LDAP://rootdse").dnshostname,[switch]$verbose) > $ErrorActionPreference = "silentlyContinue" > $statement=@" > Set objType = getObject(`"LDAP://$server/$ldapPath`") > Set objProp = objType.Get("$prop") > result = objProp.HighPart (2^32) + objProp.LowPart > "@ > if($verbose) > { > Write-Host "+ Running Convert on $server" > Write-Host " - Property : $Prop" > Write-Host " - Path : `"$ldapPath`"" > Write-Host " - Statement : $statement" > } > $vbs = new-object -com MSScriptControl.ScriptControl > $vbs.language = 'vbscript' > $vbs.ExecuteStatement($statement) > [int64]$value = $vbs.Eval("result") > return $value > $ErrorActionPreference = "Continue" > > > > } > "Oisin Grehan" <ois...@gmail.com> wrote in > messagenews:1186775727.802720.238160@q3g2000prf.googlegroups.com... > > On Aug 10, 10:21 am, "Brandon Shell" <tshell.m...@gmail.com> wrote: > >> What exactly is your goal. If you are trying to figure out the last > >> time a > >> user logged on then this is the wrong attribute to check. This > >> attribute is > >> used for detecting stale accounts as the value is not always updated. > >> To > >> check the last time a user logged on you must check LastLogon on EVERY > >> dc > >> for that user and take the highest value (this attribute is NOT > >> replicated.) > > > Hi Brandon, > > > You are correct in saying that LastLogon is NOT replicated. However, > > the author is talking about "lastLogonTimestamp" which IS replicated > > between DCs. This attribute is new to AD 2003, and can be interpreted > > using [DateTime]::FromFileTime. > > > Cheers ;-) > > > - Oisin- Hide quoted text - > > - Show quoted text - Eeek! that's the last time I get involved in an AD pissing contest with you, B! seriously though, I got all my original info on lastLogonTimestamp from a blog entry some years ago, and I managed to find it again: http://choosing-a-blog-url-sucks.blo...ctory-and.html Some interesting stuff in there about IADSLargeInteger, in64, ::FromFileTime etc; most notable about how when using the DirectorySearcher, the IADSLargeInterger comes back as an int64, and the : "Now let's say you are using the DirectorySearcher object instead of the DirectoryEntry object to find the object in Active Directory you need. If you try to use similar code as provided in the sample above, you will get an InvalidCastException when casting the lastlogontimestamp to the IADsLargeInteger. For some reasone, when using the DirectorySearcher object, the lastlogontimestamp object is returned as a long (Int64) instead of an IADsLargeInteger. I found this behavior to be a bit schizophrenic." it's all a bit weird to me and why I mostly stay away from AD stuff. ;-) - O.
My System Specs

Similar Threads
Thread	Forum
Need Formatting Help!!!!	General Discussion
LastLogonTimeStamp	VB Script
infopath email form formatting in outlook 03/07	Vista mail
RE: Formatting	Vista music pictures video
Re: Formatting Bug	PowerShell