FN-GM (31st January 2012)
Depends on what you want to do. Whenever I've set about finding old users or computers I haven't cared about precision, so I'd be happy to use LastLogonTimestamps more than say 100 days old and not worry if that sometimes gets a few accounts that actually last logged on 84-100 days ago coz they're old too.
Chasing round for the freshest LastLogon is the kind of thing I'd do if I wanted to know if someone (or a computer) logged on recently e.g. this morning, yesterday etc.,
FN-GM (31st January 2012)
Would you know how to make the script chase around please? I assume it would be allot of work?
I may Google to see if there is a way to increase the replication period or if there is a way to force the attribute to replicate then run the script. What are your thoughts please?
Thanks for your help.
Can you just confirm i have got something correct.
When the users logs on, it will check the DC to see if the timestamp is older than 14 days. If it is older than 14 days it updates it with a new one. If it is under 14 it ignores it. Because of this you wont end up with this scenario:
On July 2, the script disables account_A. On July 4, the admin enables the account so that account_A can log in. On July 9, the script runs again and the account is disabled again.
“The LastLogonTimeStamp Attribute” – “What it was designed for and how it works” « Ask the Directory Services Team
If you need more accuracy, you could query the event logs...
It is important to note that the intended purpose of the lastLogontimeStamp attribute to help identify inactive computer and user accounts. The lastLogon attribute is not designed to provide real time logon information. With default settings in place the lastLogontimeStamp will be 9-14 days behind the current date.
If you are looking for more “real-time” logon tracking you will need to query the Security Event log on your DC’s for the desired logon events i.e. 528 –Windows XP/2003 and earlier or 4624 Windows Vista/2008. See this blog post by Eric Fitzgerald for more info. (I think he knows something about auditing)
IMO your best bet for near real-time data is to use an event log collection service to gather all domain controller security event logs to a centralized database. You can then query a single database for the desired logon events. Microsoft’s solution for security event log collection is Audit Collection Services. There are many 3rd party solutions as well.
I have read it thanks. I think i am going to reduce the time on the attribute to 7 days.
There are currently 1 users browsing this thread. (0 members and 1 guests)