ActiveDirSec.Org

The world's most trusted forum on Active Directory Security


Post Info TOPIC: How to determine True Last Logon in Active Directory?


Member

Posts: 14
Date: Jun 1, 2011
How to determine True Last Logon in Active Directory?
Permalink  
 


Hello Forum. I would like to know what is the best way to determine the True Last Logon time in Active Directory, on domain user and computer accounts? I need to find a list of stale computer accounts in our AD and am trying to find an efficient and reliable way to do this.

I recently took over the management of the AD of a small company that our organization acquired, and am generally doing some security analysis for clean up and maintenance.

I would also like to find out who many users may have failed a logon in the last 7 days, so any input on that would also be helpful. I believe that one needs to query all DCs in the doman to get these values, and I need to generate a report to show all stale accounts.

Thanks for your assistance.

- Manuel.



__________________
Eu amo futebol! Go Ronaldinho!


Member

Posts: 9
Date: Jul 13, 2011
How to determine True Last Logon in Active Directory?
Permalink  
 


Manuel,

Bonjour.  I think you basically have a 3 basic choices when it comes to determining True Last Logon values  in Active Directory -

1. You can use the LastLogonTimeStamp value in Active Directory, but as you may know it is only accurate for values that are more than 14 days old.

2. You can write a script to query this value from all Domain Controllers in the domain, then make the comparisons and output the values. The problem with this is that you have to write and maintain your own scripts, and that can be a little time consuming.

3. You can use an automated tool to determine True Last Logon values, including values that are less than 14-days old (e.g. all true last logons in last 7 days etc.)

Good luck with your project, and I hope this helps.

Antoine



__________________
Jugez un homme par ses questions plutôt que par ses réponses


Member

Posts: 14
Date: Jun 29, 2012
RE: How to determine True Last Logon in Active Directory?
Permalink  
 


Hello Antoine,

Thank you - this is helpful information. 

Can I request you for some more guidance on #2 and #3, maybe if you could point me in the right direction for both #2 and #3?

Thanks!

Manuel.



__________________
Eu amo futebol! Go Ronaldinho!


Member

Posts: 9
Date: Jan 17, 2013
RE: How to determine True Last Logon in Active Directory?
Permalink  
 


Manuel,

Sure, while I would be happy to help you better understand how to get the lastLogon values from all DCs in your domain, and then figure out how to determine the True Last Logon Time, the process is quite detail-oriented to perform and to tell you about, but here is a good write-up that might help.

In our company, we didn't want to deal with the headache of writing, testing and maintaining scripts for such tasks so we use an automated tool called Gold Finger for AD to determine True Last Logon and generate True Last Logon and numerous other basic yet essential reports.

This tool saves us a lot of time and effort, and its the most cost-efficient and reliable way we've found to fulfill our reporting needs. One of the best things we like about it is that it lets us easily analyze and export results, as well as automatically create custom reports in PDF format.

So, whether your wish to write your own scripts, or use an automated tool, I hope this helps.

- Antoine



__________________
Jugez un homme par ses questions plutôt que par ses réponses
Page 1 of 1  sorted by
Quick Reply

Please log in to post quick replies.

Post to Digg Post to Del.icio.us
Members Login
Username 
 
Password 
    Remember Me