Finding the accurate last logon time of an AD account
-
Tuesday, May 15, 2012 4:06 PM
Has anyone found a script or tool which accurately pulls the last log-on of an AD account ? I am aware of querying the lastlogon and lastlogontimestamp attribute but there are some scenarios where these are not accurate. I am also aware that lastlogon attribute is only per DC basis.
Thanks in advance.
All Replies
-
Tuesday, May 15, 2012 4:23 PM
I have VBScript and PowerShell scripts to retrieve lastLogon for all users linked on this page:
http://www.rlmueller.net/Last%20Logon.htm
The lastLogonTimeStamp attribute is replicated to all DC's, but is only updated during logon if the old value is more than 14 days (by default) in the past. The value will be the same on all DC's, but will be accurate with 14 days. The lastLogon attribute is updated at every logon, but is not replicated. You need to query all DC's in the domain to get an accurate lastLogon value for each user. The code to retrieve lastLogon for one user would be very similar to the code I linked to to retrieve the values for all users, so you might as well retrieve all values. As with most administrative scripts, the output should be redirected to a text file. For example, to run LastLogon.vbs, use the following at a command prompt:
cscript //nologo LastLogon.vbs > report.txt
Richard Mueller - MVP Directory Services
- Proposed As Answer by Mike KlineMVP Tuesday, May 15, 2012 5:09 PM
- Marked As Answer by Tech11-EU Thursday, May 17, 2012 3:37 PM
-
Tuesday, May 15, 2012 4:33 PM
You can dump all timestamp info for AD user accounts through DSQUERY and pipeline it to a txt file with:
dsquery * "users object FQDN" -Filter "(&(objectCategory=person)(objectClass=user))" -attr sAMAccountName lastLogonTimeStamp >> txtfile.txt
After that you will got a txt with hexa code, you need to convert it to a readable format, I designed this script to do that, just update path and file variables, a long time without test it but should work, keep me informed if you got any trouble:
'Timestamp converter
'Version 1.0 Convert from xxxxxxxxxxxxxxxxxx to xx:xx:xx time format
'Designed by Julio Rosua
'#####################################################################################################################################################
'#####################################################################################################################################################
Set objShell = CreateObject("Wscript.Shell")
set objFSO = CreateObject("Scripting.FileSystemObject")
strDirectory = "c:\"
strFile = "timestamps.txt"
If objFSO.FileExists(strDirectory & strFile) Then
Set objFolder = objFSO.GetFolder(strDirectory)
End If
set objTextFile = objFSO.OpenTextFile(strDirectory & strFile, 1)
If objFSO.FileExists("c:\results.txt") Then
Set objFolder = objFSO.GetFolder("c:\")
Else
Set objFile = objFSO.CreateTextFile("c:\results.txt")
End If
set objTextResult = objFSO.OpenTextFile("c:\results.txt", 8,True)
on error resume next
do until objTextFile.atendofstream
Datos = ObjTextFile.Readline
if datos = "" then
objTextResult.WriteLine("No existe información de netlogon")
else
strCmd = "w32tm.exe /ntte " & datos
Set objExec = objShell.Exec(strCmd)
wscript.sleep 5
arrWork = Split(objExec.StdOut.Read(60))
Integer8Date2 = arrWork(3) & " " & arrWork(4)
objTextResult.WriteLine(integer8date2)
end if
loop
objtextFile.close
objTextResult.close
'#####################################################################################################################################################
'#####################################################################################################################################################Regards
Julio Rosua
MCP / MCSA / MCSE Engineer
-
Tuesday, May 15, 2012 7:49 PM
Hello,
LastlogonTimeStamp attribute may be delayed from 0 to 14 days.
Lastlogon attribute is used to record the last logon of user against a DC. Here, this attribute is not replicated and to get the correct value of the last logon time for the user, you will need to inspect all values of this attribute on all DCs you have and extract the highest one.
To do it, you can run this commands against all DCs and then extract the highest value:
dsquery * DN -s DC-attr lastlogon |find /V "lastlogon"
Where DN is the distinguished name of your user and DC is the name of your DC.
To make the value you have in a readable format, run w32tm.exe /ntte output_of_first_command
This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.Microsoft Student Partner 2010 / 2011
Microsoft Certified Professional
Microsoft Certified Systems Administrator: Security
Microsoft Certified Systems Engineer: Security
Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
Microsoft Certified Technology Specialist: Windows 7, Configuring
Microsoft Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
Microsoft Certified IT Professional: Enterprise Administrator
Microsoft Certified IT Professional: Server Administrator
Microsoft Certified Trainer -
Wednesday, May 16, 2012 1:20 AM
See if the repadmin commands in the link are helpful. There are three examples, and they should work if DFL is 2003 or newer.1. Using repadmin to check the value of lastLogontimeStamp on all DC's in a domain for one user:
repadmin /showattr * (DN of the target user) /attrs:lastLogontimeStamp >lastLogontimeStamp.txtExample:
1.repadmin /showattr * CN=user1,OU=accounting,DC=domain,dc=com /attrs:lastLogontimeStamp >lastLogontimeStamp.txt
2. Using repadmin to dump the lastLogontimeStamp for all users in a domain including users that have no data in the lastLogontimeStamp attribute:
repadmin /showattr * /subtree /filter:"(&(objectCategory=Person)(objectClass=user))" /attrs:lastLogontimeStamp >lastLogontimeStamp.txt3. Dump lastLogonTime stamp for users but only ones that have the attribute populated
repadmin /showattr * dc=domain,dc=com /subtree /filter:"((&(lastLogontimeStamp=*)(objectCategory=Person)(objectClass=user)))" /attrs:lastLogontimeStamp > lastLogontimeStamp-2-22-2009.txt“The LastLogonTimeStamp Attribute” – “What it was designed for and how it works”
http://blogs.technet.com/b/askds/archive/2009/04/15/the-lastlogontimestamp-attribute-what-it-was-designed-for-and-how-it-works.aspxShowing Last Logon Info at Logon in Windows Server 2008
http://blogs.dirteam.com/blogs/jorge/archive/2008/02/10/showing-last-logon-info-at-logon-in-windows-server-2008.aspxHope this helps
Best Regards,
Sandesh Dubey.
MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog
Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. -
Wednesday, May 16, 2012 10:20 AM
Thanks all for your input. To confirm are the following comments true:
1. If you want to find accurately the last logon of an AD account in the last 24 hours the method to use would be to query all DCs for the ADlogon attribute value and take the most recent entry.
2. The LastLogonTimeStamp attribute of an AD account gets replicated to all DCs so only needs to be queried against one DC but it only get's updated every 14 days so if needing lastlogon for a shorter period of time this attribute would not be accurate.
3. Both the LastLogon and LastLogonTimeStamp attribute contain the date and time of the last time a user actually logged on rather than a session which was being used but had not yet expired.- Edited by Tech11-EU Wednesday, May 16, 2012 10:33 AM
-
Wednesday, May 16, 2012 10:43 AMModerator
The way to get most accurate last logon time is to look for the event ID in the event log. You can also use below free GUI tool to find last login.
http://cjwdev.wordpress.com/2010/07/28/ad-tidy-free-active-directory-clean-up-tool/
Your findings are correct.
Awinish Vishwakarma - MVP - Directory Services
My Blog: awinish.wordpress.com Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.- Edited by AwinishMVP, Moderator Wednesday, May 16, 2012 10:44 AM
-
Wednesday, May 16, 2012 12:09 PMModerator
I have a script that queries all dc's for the laslogon attribute but my site is down right now. If you want it reply with your email address and I will email it to you. Wish there was an easier way but there isn't right now.
--
Paul Bergson
MVP - Directory Services
MCITP: Enterprise Administrator
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, Vista, 2003, 2000 (Early Achiever), NT4
http://blogs.dirteam.com/blogs/paulbergson Twitter @pbbergs
Please no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights. -
Wednesday, May 16, 2012 2:02 PM
Hi,
Use CSVDE tool to extract the last logon time and you can convert to readable format in excel
Try this
http://www.windowstricks.in/2011/02/lastlogon-and-lastlogontimestamp.html
http://www.windowstricks.in/2011/05/online-windows-timestamp-converter.htm
Regards,
Ganesh
Regards www.windowstricks.in
-
Wednesday, May 16, 2012 2:23 PM
Regarding your questions.
- True, except the AD attribute is lastLogon.
- True
- Both lastLogon and lastLogonTimeStamp are large integers that represent dates (in UTC, also called Coordinated Universal Time) as the number of 100-nanosecond intervals since 12:00 am January 1, 1601. The large integer must be converted into a datetime value in the current time zone. In both cases, the value is updated by the system when the user logs on and authenticates with a password.
Richard Mueller - MVP Directory Services
-
Wednesday, May 16, 2012 2:26 PMModerator
I would read below article too, if i want to understand LastLogonTimeStamp attribute.
“The LastLogonTimeStamp Attribute” – “What it was designed for and how it works”
Awinish Vishwakarma - MVP - Directory Services
My Blog: awinish.wordpress.com Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.
.png)
