Re: Hyena inacurate or at best different from DSQUERY results

It would be nice if Microsoft documented the underlying mechanisms they use in their utilities. The DsQuery command switch you use uses the AD attribute 'lastlogontimestamp'. You may have to add this field manually to your query as its relatively new. Then, the results should line up. The lastlogon attribute is not replicated between domain controllers. You can get more information on the timestamp attribute here:
http://blog.joeware.net/2007/05/01/864/

Re: Hyena inacurate or at best different from DSQUERY results

I also used Exporter Pro to produce the same report (this pulls from all DC's) and got slightly different results from the prior Hyena list, but Hyena and dsquery still differ.

Hyena says there are 90 machine accounts that are >7months old and dsquery says there are only 42.

Re: Hyena inacurate or at best different from DSQUERY results

Additionally, I'm using the password last changed attribute, not the last logon attribute to determine if a machine account is "safe to delete" due to it being inactive.

I read the Joeware post and don't see how that applies. Can you expand on what you're suggesting I try?

Bottom line is that I need to accurately determine the last time a machine account changed it's password.
thanks

Re: Hyena inacurate or at best different from DSQUERY results

What I'm gathering from this is not a discrepancy between Hyena and dsquery, but a discrepancy between data fields that you are looking at. Above it was suggested that dsquery uses the lastlogontimestamp field for the -inactive determination.

To compare apples and apples you would need to add lastlogontimestamp to your query in Hyena to see what it is reporting.

LastLogon, lastlogontimestamp, and pwdlastset all contain different data.

Re: Hyena inacurate or at best different from DSQUERY results

I will be leaving the office in a few minutes, but:

lastlogon is a non-replicated attribute, meaning that it will have a different value on each domain controller. Exporter Pro can either merge them together or report them all separately, but its a time consuming report, which is why Hyena only shows it from the DC that data is coming from.

lastlogontimestamp is replicated, so the information is usually fairly up to date.

pwdlastset I think is replicated and shows the last time the machine changed its password. I don't know what the relationship is between pwdlastset and lastlogontimestamp for machine accounts.

You might be able to google the two and see if there are any articles on it. But there might be a reason that dsquery uses lastlogontimestamp, assuming that information is correct.