|
Replies:
17
-
Pages:
2
[
1
2
| Next
]
-
Last Post:
Nov 22, 2009 2:58 AM
by: Shay Levy
|
|
|
Posts:
36
Registered:
9/30/08
|
|
|
|
Get-Qaduser command - slightly different results
Posted:
Dec 11, 2008 4:18 AM
|
|
|
Hello,
If I run the following 2 commands I will get slightly different results.
Command1
-------------
Get-QADUser -SizeLimit 0 | where {$_.lastlogontimestamp.value -and (($now-$_.lastlogontimestamp.value).days -gt $daysSinceLastLogon)} | Format-Table Name, LastLogonTimeStamp
Command2
-------------
Get-QADUser -SizeLimit 0 -ldap "(lastlogontimestamp=*)" | where {($now-$_.lastlogontimestamp.value).days -gt $daysSinceLastLogon} | Format-Table Name, LastLogonTimeStamp
With command1 I will get 3 more results then with command2.
In my AD I have set the replication of the lastlogontimestamp to 1 day, instead of the random 10-14 days.
Thanks,
Alex
|
|
|
Posts:
415
Registered:
9/4/07
|
|
|
|
Re: Get-Qaduser command - slightly different results
Posted:
Dec 17, 2008 5:05 AM
in response to: alex.stefishen@...
|
 |
Answered |
|
|
Your first command is slightly inaccurate. Try this variant:
Get-QADUser -SizeLimit 0 | where {$_.lastlogontimestamp.value.HasValue -and (($now-$_.lastlogontimestamp.value).days -gt $daysSinceLastLogon)} | Format-Table Name, LastLogonTimeStamp
|
|
|
Posts:
135
Registered:
11/4/08
|
|
|
|
Re: Get-Qaduser command - slightly different results
Posted:
Dec 18, 2008 11:02 AM
in response to: Andrey Moiseev ...
|
|
|
Interestingly enough, I thought I had a script all done and found that my command does not return anything when the value of the LastLogonTimeStamp is 0.
I didn't realize it, but the ultimate goal is to get any enabled user who hasn't logged in within a certain number of days or less. What I can't understand is why if the value is Zero when I export it, none of the users with 0 are exported.
Hope this helps you as well since it seems you are somewhat looking for the same thing.
Here is my code :
$now=get-date
$daysSinceLastLogon=60
Get-QADUser -Enabled -sizeLimit 0 |
where {$_.lastlogontimestamp.value -and (($now-$_.lastlogontimestamp.value).days -gt $daysSinceLastLogon)} |
Select-Object SamAccountName,@{n="LastLogonTimeStamp";e={$_.LastLogonTimeStamp.value}},WhenCreated,PasswordNeverExpires,AccountExpires,Description|
Sort-Object LastLogonTimeStamp |
Export-Csv c:\scripts\60daysorless.csv -NoTypeInformation
EDIT : Actually I just checked in more detail, and this is definitely missing users. I had one with a value of 2002 and it didn't catch it.
I can't figure out what this really does selecting this truly does :
@{n="LastLogonTimeStamp";e={$_.LastLogonTimeStamp.value}}
I am trying it out taking that piece out and replacing it with LastLogonTimeStamp and I will post as soon as I have some results.
2ND EDIT :
It seems that line converts the time to actual date and I still have had no luck.
I am still missing some users that it should catch, even with a date.
I am wondering if the way my command is structured is also somewhat flaky.
Message was edited by: Doubleplay1
Message was edited by: Doubleplay1
|
|
|
Posts:
135
Registered:
11/4/08
|
|
|
|
Re: Get-Qaduser command - slightly different results
Posted:
Dec 18, 2008 12:17 PM
in response to: Doubleplay1
|
|
|
I needed a clean space to write in order to bring this up and hope Shay will jump in since I burrowed his code from a different post and he also helped out previously.
I am wondering if this is a bug a get-qaduser or is the way is formatted.
But, I can now confirm that it is not working and there is something funny about it.
http://powergui.org/message.jspa?messageID=20708
In that post we are suppose to get users who have not logged on in the past 10 days, which seems to work and probably more than 90% of users; But I am producing the same report with a retail utility and it gives me values of lastlogontimestamp of 0 and also other users who meet the criteria, yet the script doesn't.
Now, the question is :
Is this a bug with Get-qaduser or is it the way the code is put together?
Way beyond my knowledge , I just figured I would throw it out there!
Thanks again and I hope the original poster is watching the thread!
|
|
|
Posts:
1,919
Registered:
1/31/08
|
|
|
Posts:
135
Registered:
11/4/08
|
|
|
|
Re: Get-Qaduser command - slightly different results
Posted:
Dec 19, 2008 6:29 AM
in response to: Shay Levy
|
|
|
So, here is my original code and let's see how we can make this work perfectly!
$now=get-date
$daysSinceLastLogon=60
Get-QADUser -Enabled -sizeLimit 0 |
where {$_.lastlogontimestamp.value -and (($now-$_.lastlogontimestamp.value).days -gt $daysSinceLastLogon)} |
Select-Object SamAccountName,@{n="LastLogonTimeStamp";e={$_.LastLogonTimeStamp.value}},WhenCreated,PasswordNeverExpires,AccountExpires,Description|
Sort-Object LastLogonTimeStamp |
Export-Csv c:\scripts\new.csv -NoTypeInformation
That above is the original code. It is suppose to report back with any users who have not logged on within the past 60 days. Currently, it is working probably about 90% of the time as I mentioned before. No users with values of "0" and also still missing some users with actual dates.
The only problem I am having with Aleksandar's workaround is that it doesn't pipe correctly ( meaning I place a pipe and I get nothing back! ) , I would like to implement it in this code to be able to see if this fixes my report and hopefully help the original poster as well!
This is how I tried but it gave me errors.
$limit = (get-date).AddDays(-60).ToFileTime()
$filter = "(&(objectcategory=user)(|(lastLogonTimestamp<=$limit)(!(lastLogonTimestamp=*))))"
$inactiveusers = Get-QADuser -ldapFilter $filter -sizelimit 0| select-object SamAccountName,@{l="LastLogonTimeStamp";e={if($_.lastLogonTimestamp -ne $null){[DateTime]::FromFileTime([Int64]::Parse($_.lastLogonTimestamp))}} } |
Export-Csv c:\scripts\inactiveusers.csv -NoTypeInformation
As always, Thanks!
P.S-> I hope Quest fixes this soon , this cmdlets rock! I am just wary since bugs like this make me hesitant to trust them yet.
|
|
|
Posts:
1,919
Registered:
1/31/08
|
|
|
|
Re: Get-Qaduser command - slightly different results
Posted:
Dec 19, 2008 7:17 AM
in response to: Doubleplay1
|
|
|
Hi Tony
Lets test it one command at a time.
First, since you are using Get-QADUser then there is not need to specify objectcategory in the ldap filter, you can remove it.
Now, do you get your excpected output? If so, format the results and see if LastLogonTimeStamp needs to be resolved using Aleksandar's workaround, also check that LastLogonTimeStamp is not null for any of the the returned objects.
$limit = (get-date).AddDays(-60).ToFileTime()
$filter = "(|(lastLogonTimestamp<=$limit)(!(lastLogonTimestamp=*))"
Get-QADuser -ldapFilter $filter -sizelimit 0| select SamAccountName,lastLogonTimestamp
Oh...just spotted that, you're using the Label (aliased 'l') key name to create a calculated property where you need to use 'Name' (aliased 'n'),
l is to e used in format-* and 'n' for select-object So try to change it to 'n' and test again ;-)
|
Shay Levy [MVP]
http://blogs.microsoft.co.il/blogs/ScriptFanatic
PowerShell Toolbar
|
|
Posts:
135
Registered:
11/4/08
|
|
|
|
Re: Get-Qaduser command - slightly different results
Posted:
Dec 22, 2008 3:52 PM
in response to: Shay Levy
|
|
|
Shay, I still get absolutely nothing back by doing that.
I dont understand why this is so hard to modify from the original code. Is this something normal shay?
|
|
|
Posts:
1,919
Registered:
1/31/08
|
|
|
Posts:
135
Registered:
11/4/08
|
|
|
|
Re: Get-Qaduser command - slightly different results
Posted:
Dec 24, 2008 5:50 AM
in response to: Shay Levy
|
|
|
windows 2003 domain.
Do you think that what I am trying to do is probably "safer" to do it either in straight powershell (rather than quest) or maybe even VBS? The reason is the script cannot miss any accounts, if not what is the point of trying to audit via a script if you can't trust it?
Thanks shay.
EDIT : I have another question : Is the bug of QAD-user the way it displays time or is it the fact that it is missing some users when it searches? I am trying to figure out why formatting would cause it to miss some users.
Message was edited by: Doubleplay1
|
|
|
Posts:
1,919
Registered:
1/31/08
|
|
|
|
Re: Get-Qaduser command - slightly different results
Posted:
Dec 24, 2008 6:13 AM
in response to: Doubleplay1
|
|
|
Can you test this version:
$limit = (get-date).AddDays(-60).ToFileTime()
$filter = "(lastLogonTimestamp=*)(lastLogonTimestamp<=$limit)"
$lastLogon = @{n="LastLogonTimeStamp";e={[DateTime]::FromFileTime([Int64]::Parse($_.lastLogonTimestamp))}}
Get-QADuser -ldap $filter -size 0 | select SamAccountName,$lastLogon
As for PowerGUI vs plain PowerShell or VBScript, I would stick to Get-QADUser. You can always double check your code using other technologies but QAD cmdlets are my first choice.
The environement in which I'm testing the script is not in 2003 mode thus LastLogonTimeStamp is not supported :(
The bug relates to the LastLogonTimeStamp attribute formatting only.
|
Shay Levy [MVP]
http://blogs.microsoft.co.il/blogs/ScriptFanatic
PowerShell Toolbar
|
|
Posts:
135
Registered:
11/4/08
|
|
|
|
Re: Get-Qaduser command - slightly different results
Posted:
Dec 24, 2008 6:59 AM
in response to: Shay Levy
|
|
|
I just tested this, and I see results but also with some errors :
-----BEGIN----------------
jsmith
Exception calling "Parse" with "1" argument(s): "Input string was not in a correct format."
At :line:3 char:56
+ $lastLogon = @{n="LastLogonTimeStamp";e={[DateTime]::Fro <<<< mFileTime([Int64]::Parse($_.lastLogonTimestamp))}}
------END---------------
For each user reproduced, there is the name and then the exception below.
On another note, if the bug is in the formatting why would it be missing some users?
Does that make any sense? Because some of the users that are missed have correct dates not just empty values or zero.
Just thought I would note that, in case we are on to another bug.
Thanks as always!
EDIT: FYI : After looking at it in powergui there is a red squiggly line right under the "o" in "FromFileTime"
Message was edited by: Doubleplay1
|
|
|
Posts:
1,919
Registered:
1/31/08
|
|
|
|
Re: Get-Qaduser command - slightly different results
Posted:
Dec 24, 2008 7:10 AM
in response to: Doubleplay1
|
|
|
Ok, lets try without formating lastLogonTimestamp, what do you get for the below in the lastLogonTimestamp column, maybe we should exclude users with value of '0':
$limit = (get-date).AddDays(-60).ToFileTime()
$filter = "(lastLogonTimestamp=*)(lastLogonTimestamp<=$limit)"
Get-QADuser -ldap $filter -size 0 | select SamAccountName,lastLogonTimestamp
|
Shay Levy [MVP]
http://blogs.microsoft.co.il/blogs/ScriptFanatic
PowerShell Toolbar
|
|
Posts:
135
Registered:
11/4/08
|
|
|
|
Re: Get-Qaduser command - slightly different results
Posted:
Dec 24, 2008 8:00 AM
in response to: Shay Levy
|
|
|
Ok shay, this has no errors but LastLogonTimeStamp is in a format which cannot be sorted in a csv.
i.e : Wednesday, September 12, 2007
Also, I tried running get-qaduser against a user which I know has a value of zero and for that user powergui returns a value of Never instaed 0. All I can assume is that both programs see the fact the user has never logged on just reported differently.
Shay, let's see if we can figure this one out. With the retail program, I can pull some logon times and they show some in the past
For example it might say the logged on back in 2003, yet when I pull it from Powershell/Powergui/Get-qaduser it shows up as Never.
Would there be a reason for this? Is there a way to find out which server Powergui is using to grab the data from? I am sorry I have so many questions, but I like to brainstorm when things aren't going right. Furthermore, I keep trying new things to find out exactly where we are failing and how it is failing.
Now, is there a way to report all users with the LastLogonTimeStamp of never, I truly believe this will solve my problems and the script will be perfect!!
Thanks!
Message was edited by: Doubleplay1
|
|
|
Posts:
1,919
Registered:
1/31/08
|
|
|
|
Re: Get-Qaduser command - slightly different results
Posted:
Dec 24, 2008 8:42 AM
in response to: Doubleplay1
|
|
|
You can force the command to run against a specific dc:
Get-QADUser -dc dcName
-dc is an alias for -Service parameter.
As for results that shows 'Never', usually it is a custom display name that QAD generates and you probably can get the raw value by specifing the value member, as in:
$obj.LastLogonTimeStamp.value
You can see what I mean if you pipe $obj.LastLogonTimeStamp to get-member or vevn pipe it to format-*.
Try this:
Get-QADuser -ldap $filter -size 0 | where {$_.lastLogonTimestamp.value } | select samaccountname,@{n="lastLogonTime
stamp";e={$_.lastLogonTimestamp.value}}
|
Shay Levy [MVP]
http://blogs.microsoft.co.il/blogs/ScriptFanatic
PowerShell Toolbar
|
|
|
Legend
|
|
MVP: 2501
+
pts
|
|
Guru: 2001
- 2500
pts
|
|
Expert: 751
- 2000
pts
|
|
Enthusiast: 31
- 750
pts
|
|
Novice: 0
- 30
pts
|
|
Moderators
|
|
Helpful answer
(5 pts)
|
|
Answered
(10 pts)
|
|
