none
User attributes replication concern RRS feed

  • Question

  • Hi Scripting Guys,

    Working in a large domain we have concerns on the validity of the information we use to manage user accounts. A good exemple is the lastLogonDate replication timeframe, 9 to 14 days. There was a suggestion to use the PasswordLastSet attribute to aleviate the possibility of lastLogonDate not being replicated properly for some users. But the problem we face is different. How can we make sure that a user did not reset its password and logon in the hours prior to running the script that disables the account ? Is there an attribute that should replicate itself almost immediatly that we can rely on ? Should we check all domain controllers for each user we are about to disable or delete ?

    Pierre

    Tuesday, October 6, 2015 12:04 PM

Answers

  • If the lastLogonDate (actually the value of the lastLogonTimestamp attribute) is far enough in the past that you are going to delete or disable the account as inactive, then as soon as the user logs on the lastLogonDate property will be replicated. That is because the old value will be more than 14 days in the past. It does not mean that AD waits 14 days to replicate the value.

    However, PasswordLastSet (actually the pwdLastSet) attribute will always replicate. It's just that passwords may not need to be reset for some days, and some accounts may be configured to never need to change passwords.


    Richard Mueller - MVP Directory Services

    Tuesday, October 6, 2015 12:23 PM
    Moderator

All replies

  • If the lastLogonDate (actually the value of the lastLogonTimestamp attribute) is far enough in the past that you are going to delete or disable the account as inactive, then as soon as the user logs on the lastLogonDate property will be replicated. That is because the old value will be more than 14 days in the past. It does not mean that AD waits 14 days to replicate the value.

    However, PasswordLastSet (actually the pwdLastSet) attribute will always replicate. It's just that passwords may not need to be reset for some days, and some accounts may be configured to never need to change passwords.


    Richard Mueller - MVP Directory Services

    Tuesday, October 6, 2015 12:23 PM
    Moderator
  • Thank you very much for the quick reply. It's appreciated.
    Tuesday, October 6, 2015 7:03 PM