Greetings,
Is it possible to have a lastlogontimestamp of 01/01/1601 with an account still in use? I'm doing an audit of service accounts and most have 1601 but I think some of them are being used.
Cheers
David Z
Technology Tips and News
Greetings,
Is it possible to have a lastlogontimestamp of 01/01/1601 with an account still in use? I'm doing an audit of service accounts and most have 1601 but I think some of them are being used.
Cheers
David Z
Hi,
Lastlogontimestamp of account having dates 01/01/1601 is due to they have not logon to any server yet.
This are the logic of using the date by Microsoft.
http://blogs.technet.com/b/heyscriptingguy/archive/2010/01/27/dandelions-vcr-clocks-and-last-logon-times-these-are-a-few-of-our-least-favorite-things.aspx
The value stored in the lastLogon attribute represents the date and time of the account logon, expressed in 100-nanosecond steps since 12:00 AM, January 1, 1601.
The DS team has a great blog that you should check out
http://blogs.technet.com/b/askds/archive/2009/04/15/the-lastlogontimestamp-attribute-what-it-was-designed-for-and-how-it-works.aspx
"LastLogonTimestamp is updated with the following logon types: Interactive, Network, and Service logons.
However, the attribute isn't updated with EVERY logon. There is another attribute ms-DS-Logon-Time-Sync that controllers how often [in days] the LastLogonTimestamp attribute is update and the attribute is updated and replicated to other DCs.
My Question is - If the logontimestamp is 01/01/1601 then does it mean that the account is definitely not in use? I am referring to service accounts. I see many SQL and Exchange accounts with this timestamp and I cannot believe SQL and Exchange would create these accounts if they are never used for anything.
To put it another way - If you did a search for all accounts and their logon time stamps, would you delete the ones with 01/01/1601 immediately knowing that absolutely no systems or applications could possibly be affected?
Hello David,
No you cannot delete those account because those are running as service account or run as batch job. You have to be very much careful for deleting those account.
Hi,
You can run the script to know which date account was created and based on that you need to send the report to respective team who owns the accounts and then decide for deletion or not.
If your query is answer please mark or propose as answer.
My Question is - If the logontimestamp is 01/01/1601 then does it mean that the account is definitely not in use? I am referring to service accounts. I see many SQL and Exchange accounts with this timestamp and I cannot believe SQL and Exchange would create these accounts if they are never used for anything.
To put it another way - If you did a search for all accounts and their logon time stamps, would you delete the ones with 01/01/1601 immediately knowing that absolutely no systems or applications could possibly be affected?
No, my questions has not been answered.
Is it possible to have a lastlogontimestamp of 01/01/1601 with an account still in use?
No, my questions has not been answered.
Is it possible to have a lastlogontimestamp of 01/01/1601 with an account still in use?
Hello,
Example I have service account called Xyz.@testlab.com and this account is service account I am using this account only to start specific exchange service and this account password is never expired set. hence if I run the script to collect the lastlogontimestampi will will received the timestamp as 01/01/1601 which is as per Microsoft logic and algorithm. I will not delete those account because my exchange service required this service account to stop and start the service. If I want to delete such account then I have to be 100% sure that this account is no where using in environment as service or schedule job or run as service account.
So the answer is yes.
What arises from this is the next question. Is there any way to determine if an account is not in use (without asking people)?
Also, what is the purpose of an account. I thought it was authentication. If you are authenticated then wouldnt you update the lastlogontimestamp?
Hi,
without interacting with users or respective owner it is not possible to identify those account in Active directory. I am saying this from my past and current experience. What you can do is using script pull out report and send to respective team owner to identify those accounts. If that is not possible then another way of doing is you disable account which are not in use more then 90 days and keep for say 10 days as disable if you not received any complaint or any service effect by that you can delete those on 11 day.
You can convet lastlogontimestamp attribute value using Excel also, please check below link
http://www.windowstricks.in/2011/02/lastlogon-and-lastlogontimestamp.html
And lastlogontimestamp attribute value is not authentic, because the value is updated every 14 days (updated on whenever account logon and replicated the update every 14 days), so you wont get most recent logon data, if the lastlogontimestamp attribute value more then 15 days then we can trust value
Regards
Ganesh