I don't think there is a solution. The only other possibility is the
whenChanged attribute, which is not replicated. A different value is save
on
every DC. For any object, if you retrieve the value of whenChanged from
every DC, there is a chance that the most recent value corresponds to when
the object was moved, and the next most recent value to when it was
disabled. However, this will fail if the same DC was used for both events,
and there is no way to tell. There's even the chance that only one DC has
any value for the object. The same goes for the uSNChanged attribute, an
integer8 value updated on the DC when a change is made and not replicated.
--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--
"Greg" <greg@[EMAIL PROTECTED]
> wrote in message
news:%23WGLDkG3IHA.2064@[EMAIL PROTECTED]
> Thanks for your answer, yes I was thinking about it, but unfortunately
all
> the disabled accounts have been moved to a dead objects OU recently so
> obviously this value has been updated....
>
> any other ideas?
>
> thanks again
>
>
> "Richard Mueller [MVP]" <rlmueller-nospam@[EMAIL PROTECTED]
> wrote in
> message news:%23XGmuaG3IHA.784@[EMAIL PROTECTED]
>> Greg wrote:
>>
>>> need to put together a script than re****ts when an account was
disabled,
>>> used ldap browser but I can't find any attributes where this could be
>>> stored....
>>>
>>> any clues ?
>>
>> The modifyTimeStamp attribute would be the date/time when the object
was
>> last changed. If nothing has changed since the account was disabled,
this
>> should be when the account was disabled. The format is GeneralizedTime
>> and the value is replicated. However it is operational (also known as
>> constructed).
>>
>> --
>> Richard Mueller
>> MVP Directory Services
>> Hilltop Lab - http://www.rlmueller.net
>> --
>>
>>
>
>
|
