What Defines an AD Object as "Inactive"

Well, if you run dsquery user /? it tells you this

-inactive Finds users that have been inactive (not logged on) for at least number of weeks.

For computers, it just says 'stale', so we can assume it's the same thing - amount of time since the domain has seen that computer account get authenticated.

For your hypothetical, I'm sure a powered-on and well-connected computer would not show up as stale. There's things like GPO refresh and Kerberos timeouts that cause activity in the background, I'm sure those would refresh whatever 'stale' counter exists.

This attribute should be based on lastlogonTimestamp. See post from JOE (MVP)

"http://technet.microsoft.com/en-us/library/cc725702(WS.10).aspx

dsquery uses the lastLogonTimeStamp attribute. This attribute is only used in Windows Server 2003 DFL mode and is not up to the minute, it will be up to 7 days off by default.

As for Exchange resource mailboxes. There is no guaranteed clean generic way of finding which ones are in use or not. In my real job, I am a high level consultant for a Messaging Services organization and all together our teams manage literally millions of mailboxes across many of the largest companies around the world. This is a problem we have looked for some time for a guaranteed solution and there isn't one. You may be able to find something that works locally if you understand how your resource mailboxes are being used... for instance you may be able to look at tracking logs and if no mail is coming in or going out that means they aren't being used. There is a logon attribute for mailboxes, but it gets updated by the local system when it is scanning through mailboxes with AV or other items and it is also updated when others view calendars or delegated folders.

joe

-- Joe Richards Microsoft MVP Windows Server Directory Services Author of O'Reilly Active Directory Third Edition www.joeware.net "