Can computer object's Modified date be trusted?

[Dimitri Furguson]

I am in clean-up mode in AD and I have 100's of orphaned computer objects
out there. I have previewed some of the scripts out there that query for
last logon date, but that requires me to run against all AD controllers and
compared since I don't think that is infomation is replicated. Other
scripts query by password change but that doesn't apply because of certain
PC's that auto-login with accounts that have non-expiring passwords.

So what I did was create an AD query in ADUC and turned on the Modified
column in Views. I can then export the query findings into a TXT file that
I import into Excel. At first glance it appears to be a reliable list but
then again I am staring at 1300 computer accounts so I can't be sure. Could
you foresee any reason why the modified date would not be accurate? What I
don't know is what exactly triggers that field... simply from a reboot?

Thank you for your time.

 

[Jorge de Almeida Pinto [MVP - DS]]

to scan for old computer accounts use joe's OLDCMP
http://www.joeware.net/win/free/tools/oldcmp.htm

OldCmp
Summary

Command line Active Directory query tool. Primarily used to find and
cleanup old computer accounts that haven't been used. Can also be used to
clean up user accounts when the proper filter is specified.
--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)


# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx

 

[Joe Richards [MVP]]

last logon date, but that requires me to run against all AD
controllers and

compared since I don't think that is infomation is replicated. Other

If you are in DFL2 lastLogonTimeStamp is replicated and can be used by
oldcmp... Just use the -llts switch. If you aren't in the right mode, it
will tell you and won't use it.

Other
scripts query by password change but that doesn't apply because of certain
PC's that auto-login with accounts that have non-expiring passwords.

Autologon is to user ids, not computer accounts, setting userids to
non-expiring as no impact on computer account passwords.


As for modified date... no you can't trust it. It is a non-replicated
value just like lastLogon and can reflect any kind of update to the
object, even mods made by the system for whatever reason. Every DC will
very likely have a different values on every DC.



--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm