Server 2003 Pre-R2 Domain-Wide Last Login Scanner

Friday, June 19, 2009 12:13:49 PM

Looking for inactive accounts in your domain? The solution might be more difficult than you think, but I have the answer. I was recently tasked with providing a means to scan a domain of  almost 100 domain controllers (DC) to see which accounts were 30, 60 and 90 days without a login. Because we were not yet at a full 2003 R2 domain functionality level we could not take advantage of the LastLogon attribute directly.

For those who aren't aware, prior to Windows Server 2003 R2 the LastLogon schema attribute was not a replicated field. The solution that we came up with would be to connect to each DC in the domain directly, enumerate the list of users, retrieve their last logon time and then perform a comparison to find the most recent entry across all DCs. Here is a run down of the logic:

  1. Connect to local DC
  2. Enumerate list of all DCs in the domain
  3. Close connection
  4. For each DC discovered in step 2, create a connection to it
  5. Query all users and their LastLogon attribute
  6. Create array and store data from step 5 into it
  7. Close connection
  8. Compare arrays and find the most recent login for each user
  9. Output data to CSV file
  10. Manually analyze the data or write another program to do same

Pretty basic, though there were some pitfalls that I encountered. One of them was I did not want to hammer the network, so I needed to limit my number of simultaneous connections. We decided to only connect to 5 DCs at a time.

You can download the code and take it for a spin here.


Leave Comment




Are you human? Prove it!