locked
lastLogonTimestamp and lastLogon

    Question

  • Hi everybody,

    I'm trying to import information related to the last time a user logged onto a domain into the Metaverse from Active Directory.

    My research tells me there are two interesting AD attributes:

    lastLogon (in the case of AD2000). This is not replicated between DCs, so is not useful from an MIIS perspective, since MIIS will only synchronize with one DC.

    lastLogonTimestamp (in the case of AD2003). This is syncrhonized (albeit only every 7 or 14 days, I'm not sure which, as I've seen reference to both time periods).

    I have a AD2003, and a single DC (it's a test environment).

    A couple of interestng points:

    1) Using ADSI, inspecting a user account that I have used reveals that the lastLogon is set, but lastLogonTimestamp is NOT set.

    2) When I configure my Active Directory MA, even when "show all attributes" is selected, the lastLogon attribue is not in the list (the lastLogonTimestamp attribute is).

    So, my question is:

    How do I get the last logon information from AD into MIIS?

    Thanks,

    David Henderson

    Friday, October 20, 2006 5:20 PM

Answers

  • Hi David,

    There are few situations where the lastLogonTimeStamp attribute is not updated and they are usually due to some combination of NTLM and Network based logons; however most of these have been cleaned up as of Win2k3 SP1:

    http://support.microsoft.com/kb/886705

    The safe bet is to try an interactive logon with that user account.  Also, the Domain must be running Windows 2003 Functional level in order for the attribute to be tracked.

    I was resonably certain that I've been able to import the lastLogon attribute but I could be mistaken and as you pointed out it is of little actual use - I know I'm importing lastLogonTimeStamp on my current project.  The LLTS is, by default, updated every 14 days and I would not recommend changing the default past 7 days.  It really should only be used to locate stale accounts and you shouldn't need down to the day or hour to detect something that is 60+ days old.

    If you decide you need something more detailed, then you're better off writing a script (a search will land you plenty of examples) to pull the lastLogon attribute off of each DC in order to find the most recent logon.  Once you have that information it's not that much more difficult to put it into a CSV file format and import that in via the Delimited Text MA.  If you're more comfortable with SQL, then you can dump it into a table which would be more useful if you intend to track history.

    Saturday, October 21, 2006 9:05 PM

All replies

  • MIIS uses the DirSync control to sync objects with AD. The DirSync control taps into the replication stream to get the necessary changes. Since lastLogon is not replicated, it isn't available via the DirSync control, and MIIS cannot retrieve it.

    Friday, October 20, 2006 5:53 PM
  • How about an LDAP-based XMA which uses a LDAP query for objects with the appropriate LastLogon?

    Ryan Bagan

    Oxford Computer Group

    Saturday, October 21, 2006 9:55 AM
  • Hi David,

    There are few situations where the lastLogonTimeStamp attribute is not updated and they are usually due to some combination of NTLM and Network based logons; however most of these have been cleaned up as of Win2k3 SP1:

    http://support.microsoft.com/kb/886705

    The safe bet is to try an interactive logon with that user account.  Also, the Domain must be running Windows 2003 Functional level in order for the attribute to be tracked.

    I was resonably certain that I've been able to import the lastLogon attribute but I could be mistaken and as you pointed out it is of little actual use - I know I'm importing lastLogonTimeStamp on my current project.  The LLTS is, by default, updated every 14 days and I would not recommend changing the default past 7 days.  It really should only be used to locate stale accounts and you shouldn't need down to the day or hour to detect something that is 60+ days old.

    If you decide you need something more detailed, then you're better off writing a script (a search will land you plenty of examples) to pull the lastLogon attribute off of each DC in order to find the most recent logon.  Once you have that information it's not that much more difficult to put it into a CSV file format and import that in via the Delimited Text MA.  If you're more comfortable with SQL, then you can dump it into a table which would be more useful if you intend to track history.

    Saturday, October 21, 2006 9:05 PM
  • Bruce - thanks for the 'splanation why lastLogon does not appear (to MIIS) as an AD attribute.

    Ryan - I hope to not have to go down that road - seems like a lot of effort. I appreciate this would be required if I want to use "accurate"dates available only through the lastLogon attribute on each DC, but I'm okay with the inaccuracy of lastLogonTimestamp.

    Brad - Your comment about the Domain must be running Windows 2003 Functional level was bang on. My test domain was running in mixed mode.

    Wednesday, October 25, 2006 3:28 PM