How to determine True Last Logon in Active Directory?
Hello Forum. I would like to know what is the best way to determine the True Last Logon time in Active Directory, on domain user and computer accounts? I need to find a list of stale computer accounts in our AD and am trying to find an efficient and reliable way to do this.
I recently took over the management of the AD of a small company that our organization acquired, and am generally doing some security analysis for clean up and maintenance.
I would also like to find out who many users may have failed a logon in the last 7 days, so any input on that would also be helpful. I believe that one needs to query all DCs in the doman to get these values, and I need to generate a report to show all stale accounts.
Bonjour. I think you basically have a 3 basic choices when it comes to determining True Last Logon values in Active Directory -
1. You can use the LastLogonTimeStamp value in Active Directory, but as you may know it is only accurate for values that are more than 14 days old.
2. You can write a script to query this value from all Domain Controllers in the domain, then make the comparisons and output the values. The problem with this is that you have to write and maintain your own scripts, and that can be a little time consuming.
3. You can use an automated tool to determine True Last Logon values, including values that are less than 14-days old (e.g. all true last logons in last 7 days etc.)
Good luck with your project, and I hope this helps.
Antoine
__________________
Jugez un homme par ses questions plutôt que par ses réponses
