Thursday, September 18, 2008

AD: How to Determine the Last Logon time of users

I don't think there's a really good short answer to this one, as your ability to determine last logon times really depends on the AD level that you're at.

For information on the below attributes (and more), check here.

Pre-2003 AD: You can't do it.
2003 AD: Look at the lastlogon attribute on all DCs.
2003 AD functional level: Look at the last-logon-timestamp
2008: Check the msDS-LastSuccessfulInteractiveLogonTime

If you're not at 2008, or 2003 domain functional level, and you want to determine the last logon time, you can use AD-FIND to query each DC, get the time stamp in the nt time epoch format (the time measured in seconds since 1/1/1601) and then use w32tm /ntte to convert the stamp into a readable format... Date, Hour:min:second.

adfind -h DC1:389 -b dc=domain, dc=local -f "objectcategory=person" lastlogon >DC1.txt

adfind -h DC2:389 -b dc=domain, dc=local -f "objectcategory=person" lastlogon >DC2.txt

... and so on for each DC.

To convert lastlogon time, take the time stamps for the user's that you're interested in and convert them...

w32tm /ntte value1
w32tm /ntte value2

... and so on.

Then you can compare each. At 2003 functional level the attribute lastlogontimestamp is replicated to each DC - so it's a single source of truth. In 2008 it gets even better with last logons, last failed logons, and more. With some diligence, you can probably take the above steps do some further learning around them to improve things a bit, and then script the the logic. But for one-offs, and small networks this works.

No comments: