There is a problem with Windows 2000 domain controllers in that they do not
replicate the last logged on timestamp. If you have a Windows XP Pro
computer in the domain you can install adminapk for Windows 2003 on it and
use the AD command line tools such as "dsquery user -inactive" to find
inactive accounts but you would have to do such on each domain controller to
get final results. A user may show as never being logged on by a domain
controller that is never used to authenticate him. There may be scripted
solutions to do such for all domain controllers if you have more than a few.
There is also a free tool from Somarsoft called dumpsec that you may want to
try. Though I have not tried it myself with multiple domain controllers
there is an option for "show true last logon time" that is supposed to make
it check all logon servers when you select which which fields to use in
your report for users.--- Steve
http://www.systemtools.com/somarsoft/ --- dumpsec
http://www.microsoft.com/windowsxp/...SXP/home/using/productdoc/en/dsquery_user.asp