when the functional level changes it logs in the event log also.......? logged in the System log: Event Type: Information Event Source: SAM Event ID: 16408 Computer: Server Name Description: "Domain operation mode has been changed to Native Mode. The change cannot be reversed." ________________________________ From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of James Scanlon Sent: 10 June 2011 14:43 To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: OT: determine domain functional level history Steve scrap that just found that our script (originally) was only querying lastlogon not lastlogontimestamp...grrr have you checked the lastlogontimestamp is in sync between DC's? repadmin /showattr * CN=user1,OU=accounting,DC=domain,dc=com /attrs:lastLogontimeStamp >c:\lastLogontimeStamp.txt according to http://msdn.microsoft.com/en-us/library/ms676824(v=vs.85).aspx <http://msdn.microsoft.com/en-us/library/ms676824(v=vs.85).aspx> Also:Last-Logon-Timestamp Attribute: This is the time that the user last logged into the domain. Whenever a user logs on, the value of this attribute is read from the DC. If the value is older [ current_time - msDS-LogonTimeSyncInterval ], the value is updated. The initial update after the raise of the domain functional level is calculated as 14 days minus random percentage of 5 days. - I read that as there SHOULD be an entry for each user????? sorry if this is already stuff you've covered.... :) good luck J ________________________________ From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of James Scanlon Sent: 10 June 2011 14:33 To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: OT: determine domain functional level history steve I thought the 'lastlogon' details were only recorded individually on each domain controller??? (or something stupid like that) there are apps that scan ALL domain controllers and list the most recent date for teh lastLogonTimestamp? In the past we used "dovestone softwares AD true last logon" i think... James ________________________________ From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Steve Snyder Sent: 10 June 2011 14:28 To: thin@xxxxxxxxxxxxx Subject: [THIN] OT: determine domain functional level history So I'm pulling the lastLogonTimeStamp attribute for user accounts via script as part of a clenaup effort, and for many accounts there's no entry. Since this attribute is only available for a windows 2003 functional level I'm hypothsizing that these accounts simply haven't been logged onto since the functional level was raised to 2003. Anyone know of where/how to query AD to determine when that occurred, or if that info is even stored? ______________________________________ C. Hoare & Co. is authorised and regulated by the Financial Services Authority with registration no. 122093. The FSA's address is 25, The North Colonnade, Canary Wharf, London E14 5HS. Registered in England no. 240822. Registered office 37 Fleet St, London, EC4P 4DQ Confidentiality Disclaimer: This message and attachments are confidential and may be privileged, and are sent for the personal attention of the addressee(s). If you are not the intended addressee, any use, disclosure or copying of this document is unauthorised. Information transmitted by email may be intercepted, lost, destroyed, corrupted or delayed and as a result, C. Hoare & Co. do not accept responsibility for any errors or omissions in the contents of this message. If you would like to confirm the contents of this email, please request a hard copy version. If the contents of this message are of a personal nature, the email will have been sent in a personal capacity and not on behalf of C. Hoare & Co. Monitoring/Viruses: C. Hoare & Co. may monitor all incoming and outgoing emails in line with current legislation. Although emails are screened for viruses, C. Hoare & Co. cannot guarantee that any transmissions will be virus free. ________________________________________