Can I use SCOM 2007 R2 to see Computers last logon from Active Directory?
I have 4 domain controllers that need to be replicated.
I know that I can use other programs like http://www.dovestones.com/products/True_Last_Logon.asp but I would like to use SCOM if possible.
Best Answer
There are two things that you might be looking for. To get a definitive answer for a computer account or a user account in any Active Directory you need to poll all Domain controllers and pick the most recent value reported for LastLogon because that is an AD attribute that is never replicated between DC's. That is what True Last Logon is doing.
For Computer accounts you can take a bit of a shortcut if absolute acccuracy is not required - e.g. if you are looking to clean up old and unused computer accounts. All AD joined computers automatically change their machine account password every 30 days ( or every 7 days for Windows Vista\W2K8 or newer). This means that the PasswordLastChanged attribute will be modified for an active machine on a regular basis - this attribute is replicated to all DC's so a single query can be used to figure it out.
For user accounts this is not true so you have to either query all DC's for LastLogon. If you have a newer AD infrastructure with at Windows 2003 or Windows 2008 functional level there are some newer attributes that can provide alternatives that may be useful.
When operating in Server 2008 Functional level the following object attributes are available:
This isn't actually turned on by default - to enable it you need to enable the following for a GPO that your Domain Controllers belong to.
There is some more information in this Technet Article.
When operating in Server 2003 Functional level or newer the following object attribute is available:
Unfortunately LastLogonTimeStamp is only replicated by default on a cycle that randomly varies between 9 and 19 days (to eliminate excessive traffic in large environments) and that cannot be changed to anything faster than 1 day to the best of my knowledge.
On all other AD's the only relevant attribute is the aforementioned
LastLogon. Unfortunately this is never replicated so if you want to use it you have to poll all DC's in your domain and then pick the most recent logon time from the values returned.