Microsoft KB Archive/939899

From BetaArchive Wiki
< Microsoft KB Archive
Revision as of 18:39, 18 July 2020 by 3155ffGd (talk | contribs) (importing KB archive)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Knowledge Base


The lastLogon attribute is not updated when a client computer runs an LDAP simple bind operation against a Windows Server 2003-based domain controller

Article ID: 939899

Article Last Modified on 11/20/2007


APPLIES TO

  • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
  • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
  • Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
  • Microsoft Windows Server 2003, Standard x64 Edition
  • Microsoft Windows Server 2003, Enterprise x64 Edition
  • Microsoft Windows Server 2003, Datacenter x64 Edition
  • Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
  • Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems


SYMPTOMS

A client computer runs a Lightweight Directory Access Protocol (LDAP) simple bind operation against a Windows Server 2003-based domain controller. The logon process does not update the lastLogon attribute in the Active Directory directory service schema of the domain controller. However, the lastLogonTimestamp attribute is updated.

CAUSE

The lastLogon attribute reflects the last interactive logon, not the last network-based logon. The lastLogonTimestamp attribute reflects simple bind operations and NTLM network-based logons. This behavior enables stale account cleanup in Active Directory without affecting LDAP client authentication that uses only simple bind operations.

RESOLUTION

To resolve the problem, switch the domain to the Windows 2003 Domain Mode. Then, you can use the lastLogonTimestamp attribute.

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

MORE INFORMATION

For more information about the lastLogonTimestamp attribute, click the following article number to view the article in the Microsoft Knowledge Base:

886705 A network logon that uses NTLM authentication does not update the lastLogonTimestamp attribute in the Active Directory schema of a Windows Server 2003-based domain controller


To display all domain users who have been inactive for 10 weeks or more, type the following command at a command prompt:

DSQUery.exe user inactive 10


For more information, visit the following Microsoft Web sites:

http://www.microsoft.com/technet/solutionaccelerators/cits/dsd/acctmgmt/acmlab.mspx


http://msdn2.microsoft.com/en-us/library/ms676824.aspx


http://www.microsoft.com/technet/scriptcenter/topics/win2003/lastlogon.mspx


http://technet2.microsoft.com/WindowsServer/en/library/54094485-71f6-4be8-8ebf-faa45bc5db4c1033.mspx?mfr=true


Note When you visit the last Web site that is listed, search for the "Security protocols that update lastLogonTimeStamp in Windows Server 2003" topic.

Keywords: kbtshoot kbexpertiseinter kbprb KB939899



Send feedback to Microsoft

© Microsoft Corporation. All rights reserved.


Retrieved from ‘https://www.betaarchive.com/wiki/index.php?title=Microsoft_KB_Archive/939899&oldid=231220
the Creative Commons 3.0 ShareAlike (except the Microsoft KB Archive).
Powered by MediaWiki