The world's most trusted forum on Active Directory Security
I would like to know how we if there is an easy way to enumerate a list of all domain user account holders that have not logged on in the last 7 days. We been asked by our internal security audit team to furnish this report.
I was hoping to query our local domain controller based on the lastLogonTimestamp attribute value, but I read somewhere that this attribute is only accurate for logons greater than 14 days. Since our requirement is for 7 days, that does not work for us.
Is there an easy and efficienct way to enmuerate this list, without us having to manualy query ever DC for the lastLogon attribute and then manually converting and comparing these timestamps?
If you know of any way to do this more easily, please share.
لا مصيبة أعظم من الجهل (There is no calamity greater than ignorance)
Enumerating the list of users who have not logged in the last 30 days is much easier than enumerating the list of users who have not logged on in the last 7 days.
This is because of the fact, that as you correctly mentioned and heard, the lastLogonTimeStamp attribute is stale by at least 14 days, so although it is replicated and can be retrieved from any DC, for time periods of less than 14 days, you need to obtain the lastLogon attribute for all users from all DCs, compare them, and then determine which users actually logged on within the last 7 days.
This is not very easy to do, and while scriptable, I'm not sure how much effort it might take to write, test and maintain the script.
We had a similar requirement, and we just use an automated tool to accomplish this. There are many 3rd party tools out there and you can take your pick from amongst whats available.
I hope this helps.
Thank you for your suggestions. We did try writing some in-house scripts to do so, but getting them right, maintaining them, and generating formatted output from them has turned out to be painful and a lot of work.
We'd rather use an automated solution to do this. We did look around and there seem to be many Active Directory Reporting Tools out there, to the point that we're unable to decide which one to go with.
Do you mind sharing which one you're using? I'm sure you've must have had to research them as well, so we'd rather use your research and go with your recommendations.
Thank you very much.
Sure. We're using a tool called Gold Finger for Active Directory to fulfill our security audit reporting needs. Its built a Microsoft partner and its pretty easy to use.
We did have the option of writing scripts but I just don't have the patience or the time to test store and maintain scripts, mostly because I wouldn't know if someone changed them.
Anyways, one of the things we like alot about Gold Finger it is that it lets generate a professional looking PDF report with our company's logo on it, and the fields we select, so fulfilling auditor requirements takes us just 2 minutes.
You can just Google "Gold Finger AD" or if you rather, visit their website at - http://www.paramountdefenses.com/goldfinger
I hope I was able to help, and good luck with everything.