lastlogon schema mod



I'm tryng to find the best way to track user's lastlogon
in 2 domains with 4 domain controllers. Instead of
querying the dc of each domain and taking the greater
value for the accounts in those domains I thought i
would "Replicate this attribute to the Global Catalog".
This did not seem to work. I open the schema snap in,
check the box to perform this action and I'm receiving an
error "Could not change whether this attribute should be
replicated to the global catalog servers". Im trying to
perform this via terminal services to the server that is
the schema master(as reported by replication monitor) in
the parent domain while logged in as a domain admn that
is a member of the schema admns group. The registry
setting allowing schema updates is set to 1 and if I
right click on active directory schema and go to
operations masters the appropriate check box is checked
for schema modification. This server is not a global
catalog server. All servers are 2k. This leads me to a
few questions.

1. Is this possible and if so is this even the right
thing to do?
2. does the registry setting to allow schema updates have
to be set on each domain controller? (didnt think so, but
wanted to be sure)
3. if this were successfull im assuming that i would
modify this attribute in and it would also
replicate to assuming trusts are set?
4. to make the change does the schema master also have to
have the global catalog on the same server?
5. why am i receiving "Could not change whether this
attribute should be replicated to the global catalog
servers" if all steps have been taken to allow schema
6. term services have anything to do with this?

i appreciate any feedback and will gladly provide more
info if needed.



Tony Murray [MVP]

It is not possible because the attribute is owned and
protected by the system. This is quite sensible as the
amount of replication traffic generated if you allowed the
information to be replicated would be huge.

Windows Server 2003 AD has the lastLogonTimestamp
attribute, which doesn't provide true last logon (because
it is only updated if the last update occurred a week or
more ago), but is replicated and will give you a good
indication whether an account is being used or not.

In Windows 2000 AD your options are:

1. Write a script that will query each DC to determine
the latest last logon.
2. Query the pwdLastSet attribute to determine (roughly)
whether accounts are being used or not.



Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

lastlogon - schema mod 1
[ADAM] Schema mod 0
Lastlogon 1
LastLogon attribute 3
CSVDE - LastLogon 0
lastlogon question 2
Read lastlogon 2
LastLogon attribute search 6