Discussion:
comparing lastLogonTimestamp
(too old to reply)
Martin, Greg (RTIS)
2010-06-25 19:13:49 UTC
Permalink
This question is less about the problem at hand and more about how to deal
with the issue of changing types in powershell.

I need to find all the accounts in an OU created more than 30 days ago that
have Never been logged into or haven't been logged into for 60 days. I have
this snippet that uses the quest cmdlet:

Get-QADuser -searchroot "corp.net/user accounts/users/OurOU" |
where { ($_.whencreated -lt ((get-date).adddays(-30)) ) -and
( ( $_.lastLogonTimestamp -like "Never") -or
($_.lastLogonTimestamp -lt ((get-date).adddays(-60))
)
}

The script works for accounts that have never been logged into but throws an
iComparable error when the account has been logged into. I assume its
because I'm trying to compare a date to "Never".

How do I account for the type mismatch between a date the "Never" value?

Thanks

\\Greg
IT STAFF
2010-06-26 16:33:21 UTC
Permalink
Sorry, my posting here does not post an answer here, but i wish to ask
another question as recently i am trying to find out all accounts that has
never been logon as well.

Accounts here refer to ntid or computer accounts ? For my case, i assuume
NTID. (i am not working on computer accounts)

Thus i search for attribute "modificationdate". This is because "service
account" if ever work, will make a change to modificationdate.
Lastlogontimestamp attribute - is this consider a good parameter to search
on ?

I face problems in my AD, as administrators sometimes create "application
service" account and they did not disable or remove them after testings.
Therefore i use the modificationdate as date will change if these ntid are
"in use"
Post by Martin, Greg (RTIS)
This question is less about the problem at hand and more about how to deal
with the issue of changing types in powershell.
I need to find all the accounts in an OU created more than 30 days ago
that have Never been logged into or haven't been logged into for 60 days.
Get-QADuser -searchroot "corp.net/user accounts/users/OurOU" |
where { ($_.whencreated -lt ((get-date).adddays(-30)) ) -and
( ( $_.lastLogonTimestamp -like "Never") -or
($_.lastLogonTimestamp -lt ((get-date).adddays(-60))
)
}
The script works for accounts that have never been logged into but throws
an iComparable error when the account has been logged into. I assume its
because I'm trying to compare a date to "Never".
How do I account for the type mismatch between a date the "Never" value?
Thanks
\\Greg
Martin, Greg (RTIS)
2010-06-28 13:17:20 UTC
Permalink
I wish you wouldn't hijack my thread. But here's an answer. Computer
accounts are required to change their password regularly - I believe every
30 days. If you look at the pwdlastset attribute, and it is older than
that, you've possibly found a aging account.


\\Greg
Post by IT STAFF
Sorry, my posting here does not post an answer here, but i wish to ask
another question as recently i am trying to find out all accounts that has
never been logon as well.
Accounts here refer to ntid or computer accounts ? For my case, i assuume
NTID. (i am not working on computer accounts)
Thus i search for attribute "modificationdate". This is because "service
account" if ever work, will make a change to modificationdate.
Lastlogontimestamp attribute - is this consider a good parameter to search
on ?
I face problems in my AD, as administrators sometimes create "application
service" account and they did not disable or remove them after testings.
Therefore i use the modificationdate as date will change if these ntid are
"in use"
Post by Martin, Greg (RTIS)
This question is less about the problem at hand and more about how to
deal with the issue of changing types in powershell.
I need to find all the accounts in an OU created more than 30 days ago
that have Never been logged into or haven't been logged into for 60 days.
Get-QADuser -searchroot "corp.net/user accounts/users/OurOU" |
where { ($_.whencreated -lt ((get-date).adddays(-30)) ) -and
( ( $_.lastLogonTimestamp -like "Never") -or
($_.lastLogonTimestamp -lt ((get-date).adddays(-60))
)
}
The script works for accounts that have never been logged into but throws
an iComparable error when the account has been logged into. I assume its
because I'm trying to compare a date to "Never".
How do I account for the type mismatch between a date the "Never" value?
Thanks
\\Greg
Martin, Greg (RTIS)
2010-06-29 21:42:38 UTC
Permalink
The answer to this is to append ".value" to lastLogonTimeStamp to gain
access to the non-interpreted value of the attribute. Tis will compare
quite nicely.


Get-QADuser -searchroot "corp.net/user accounts/users/OurOU" |
where { ($_.whencreated -lt ((get-date).adddays(-30)) ) -and
( ( $_.lastLogonTimestamp.value -like "Never") -or
($_.lastLogonTimestamp.value -lt ((get-date).adddays(-60))
)
}


\\Greg
Post by Martin, Greg (RTIS)
This question is less about the problem at hand and more about how to deal
with the issue of changing types in powershell.
I need to find all the accounts in an OU created more than 30 days ago
that have Never been logged into or haven't been logged into for 60 days.
Get-QADuser -searchroot "corp.net/user accounts/users/OurOU" |
where { ($_.whencreated -lt ((get-date).adddays(-30)) ) -and
( ( $_.lastLogonTimestamp -like "Never") -or
($_.lastLogonTimestamp -lt ((get-date).adddays(-60))
)
}
The script works for accounts that have never been logged into but throws
an iComparable error when the account has been logged into. I assume its
because I'm trying to compare a date to "Never".
How do I account for the type mismatch between a date the "Never" value?
Thanks
\\Greg
Loading...