Your network contains an Active Directory domain named adatum.com. The domain contains several thousand
member servers that run Windows Server 2012. All ofthe computer accounts for the member servers are in an
organizational unit (OU) named ServersAccounts.
Servers are restarted only occasionally.
You need to identify which servers were restarted during the last two days.
What should you do?
A.
Run dsquery computer and specify the -stalepwd parameter
B.
Run dsquery server and specify the -o parameter.
C.
Run Get-ADComputer and specify the lastlogon property.
D.
Run Get-ADComputer and specify the SearchScope parameter
Explanation:
A: dsquery computer -stalepwdnumber_of_days – Searches for all computers that have not changed
theirpassword for the specified number_of_days. B: dsquery server -o {dn | rdn | samid} – Specifies the format
in which the list of entries found by the search willbe displayed: dn distinguished name of each entry , default;
rdn relative distinguished name of each entry;
samid SAM account name of each entry computer groupserver user; upn user principal name of each
entryuser
C: Gets one or more Active Directory computers lastLogondate should be used D: SearchScope specifies the
scope of an Active Directory search. Possible values for this parameter are:
Base or 0; OneLevel or 1; Subtree or 2 – A Base query searches only the current path or object.
AOneLevelquery searches the immediate children of that path or object. A Subtree query searches the current
path orobject and all children of that path or object.
http://technet.microsoft.com/en-us/library/ee617192.aspx http://technet.microsoft.com/en-us/library/cc732952
(v=ws.10).aspx
c
I don’t see how any of these are correct. Answer C seems to be the least worst option. LastLogon is not the last time the server was restarted.
[PS] C:\$d = [DateTime]::Today.AddDays(-2); Get-ADComputer -Filter ‘LastLogon -ge $d’ -Properties LastLogon | FT Name,@{N=’LastLogon’; E={[DateTime]::FromFileTime($_.LastLogon)}}
Name LastLogon
—- ———
W219696VMDC2016 1/9/2015 11:25:04 AM
[PS] C:\Get-CimInstance -ComputerName w219696vmdc2016 -ClassName win32_operatingsystem | select csname,
lastbootuptime
csname lastbootuptime
—— ————–
W219696VMDC2016 11/29/2014 3:22:23 AM
The LastLogon time of the computer object will show you the last time the computer object successfully logged into the domain, which would show you the last time it came up from a reboot.
Disagree with FF.
If you run command to find out system boot time, you will see it is different to the result you get from lastlogondate
c:>systeminfo | find “Time:”
The LastLogon is the last time when somebody logon the server with domain account. If the server did not reboot in last 2 days, but somebody did logon in last 2 days, it would still show the date in last 2 days. How can you tell the difference?
Agreed with your disagreement, Hanson. Further to Mitchell, here is my script to find out the last boot up time for all servers:
$servers = Invoke-Command -cn -cred $cred -script {import-module ActiveDirectory; Get-ADComputer -LDAPFilter “(&(objectcategory=computer)(OperatingSystem=*server*))”}
Foreach ($s in $servers) { Get-CimInstance -ComputerName $.name -ClassName win32_operatingsystem | select csname, lastbootuptime}
**tested in my environment**
lastLogon is the last time that an account (user or computer) has checked into a particular DC. lastLogon is a per-DC property so it isn’t replicated.
All server are in AD domain, so when a server reboot, you can see it with lastlogon proprty
Get-ADComputer -identity SRV1 -Properties * | FT Name, LastLogonDate
Get-ADComputer -SearchBase ‘OU=ServersAccounts,DC=Adatum,DC=com’ -Filter * -Properties * | FT Name, LastLogonDate
I’m sure all that stuff about lastlogon is wrong. The property I remember is lastLogonTimestamp which records when the computer authenticates to the domain. This happens when the computer boots and also when it changes its password, every 30 days by default for a member server. I don’t remember any property of the computer object in AD which records when a user logged onto the server, presumably interactively.