Command Line Parameter

Description

lastLogon

/lastlogon

StaleAccounts.js uses the LastLogin attribute (which is derived from the lastLogon attribute) to determine when an account is stale. Because this attribute is not replicated, StaleAccounts.js connects to every domain controller in the domain and retrieves the latest time. (Each domain controller stores this separately, so StaleAccounts.js reads the LastLogin value from all domain controllers and reports the most recent time.) This method is slow but precise, it works on Windows 2000 and later domains, and it also lists the last logon server.

lastLogonTimestamp

/lastlogontimestamp

StaleAccounts.js uses the lastLogonTimestamp attribute to determine when an account is stale. This attribute is replicated, but it may be inaccurate up to fourteen days or more (depending on the attribute's replication schedule). In addition, since the lastLogonTimestamp attribute is stored as a 64-bit integer, some precision may be lost when converting it to a 32-bit number, resulting in an approximate value. This method requires Windows Server 2003 or later forest functional level, and it does not list the last logon server.

pwdLastSet

/pwdlastset

StaleAccounts.js uses the PasswordLastChanged attribute (which is derived from the pwdLastSet attribute) to determine when an account is stale.