In continuing to audit a network, the number of accounts in Active Directory did not match employee records, nor previous asset records.
While using the interval variable for lastLogonTimeStamp will find accounts that have not logged on in a specific time period, it will not find accounts which have never logged on. The following queries will find them:
- (&(objectCategory=Computer)(!lastLogonTimeStamp=*)(!userAccountControl:1.2.840.113556.1.4.803:=2))
- (&(objectCategory=User)(!lastLogonTimeStamp=*)(!userAccountControl:1.2.840.113556.1.4.803:=2))