The world's most trusted forum on Active Directory Security
Hello Forum. I would like to know what is the best way to determine the True Last Logon time in Active Directory, on domain user and computer accounts? I need to find a list of stale computer accounts in our AD and am trying to find an efficient and reliable way to do this.
I recently took over the management of the AD of a small company that our organization acquired, and am generally doing some security analysis for clean up and maintenance.
I would also like to find out who many users may have failed a logon in the last 7 days, so any input on that would also be helpful. I believe that one needs to query all DCs in the doman to get these values, and I need to generate a report to show all stale accounts.
Thanks for your assistance.
Bonjour. I think you basically have a 3 basic choices when it comes to determining True Last Logon values in Active Directory -
1. You can use the LastLogonTimeStamp value in Active Directory, but as you may know it is only accurate for values that are more than 14 days old.
2. You can write a script to query this value from all Domain Controllers in the domain, then make the comparisons and output the values. The problem with this is that you have to write and maintain your own scripts, and that can be a little time consuming.
3. You can use an automated tool to determine True Last Logon values, including values that are less than 14-days old (e.g. all true last logons in last 7 days etc.)
Good luck with your project, and I hope this helps.
Thank you - this is helpful information.
Can I request you for some more guidance on #2 and #3, maybe if you could point me in the right direction for both #2 and #3?
Sure, while I would be happy to help you better understand how to get the lastLogon values from all DCs in your domain, and then figure out how to determine the True Last Logon Time, the process is quite detail-oriented to perform and to tell you about, but here is a good write-up that might help.
In our company, we didn't want to deal with the headache of writing, testing and maintaining scripts for such tasks so we use an automated tool called Gold Finger for AD to determine True Last Logon and generate True Last Logon and numerous other basic yet essential reports.
This tool saves us a lot of time and effort, and its the most cost-efficient and reliable way we've found to fulfill our reporting needs. One of the best things we like about it is that it lets us easily analyze and export results, as well as automatically create custom reports in PDF format.
So, whether your wish to write your own scripts, or use an automated tool, I hope this helps.