Hi again,
I'm a bit confused now.
Do you want to exclude reporting on userids which has been su'ed to?
In this case your report is indeed fine.
The "time_last_login" value of a user doesn't reflect su'ing to that user. Successful use of su resets the "unsuccessful_login_count" attribute only if the user's rlogin and login attributes are both set to false.
Of course the last login time of the user who issued "su" is recorded.
If you want to report on "su" use you will have to examine /var/adm/sulog. The drawback with that file is that the date is contained in mm/dd hh:mm format - that's not seconds since epoch, and there is no year!
Anyway - your script is a real nice thing - I can't see anything wrong with it!
wmp